A large number of IoT devices still suffer from lax security.
The results of the DEF CON hacking contest are in and the news is dismal for the IoT. Contestants found 47 new IoT security flaws across 23 products from 21 different manufacturers. IoT security woes are nothing new, but the results of IoT hacking show that things are getting worse, not better.
“The Internet of Things will allow for attacks we can’t even imagine,” wrote prolific tech and security researcher Bruce Schneier. “The next president will probably be forced to deal with a large-scale internet disaster.”
The contest revealed several smart lock brands that are highly vulnerable to password sniffing and replay attacks, and one that allowed a hacker to convert guest access into permanent admin access.
Thermostats also made headlines again, with yet another one found to be transmitting data, including passwords and user names, in plain text. This would make it easy for a hacker to take control of the home’s climate control remotely. Sounds harmless, but imagine if a hacker was able to install ransomware on it that turned the furnace and and off every few minutes until the user paid. If they didn’t, their heating system could suffer severe (and very costly) damage.
Solar energy management was another hot spot. Several security flaws were found in a solar array management device including a wide open access point, a command injection flaw, and no network segmentation. According to Computerworld, if a hacker exploited such vulnerabilities, they could shut down a mid-size power plant and cause physical damage to the array.
Even wheelchairs had issues. One particular type of smart wheelchair had vulnerabilities that could allow a hacker to remotely disable safety features or even take control of the chair.