Porn parking, livid lockers and botched blenders: The nightmare IoT world come true
Darktrace claims to have seen the future – and it's awful
Some time in the near future, you may go to a parking kiosk and rather than be presented with a $5 fee request, get confronted with low-res porn images.
Likewise that locker at the gym may be used to send your bank account details to cybercriminals. And even your blender could be spying on you.
That is the nightmare internet-of-things world that security researchers Darktrace claim to have already uncovered, according to a whitepaper published this week.
In a 12-page summary seen by El Reg, the biz lists a series of attacks on small-scale devices that it claims to have identified and stamped out. Hackers apparently then tried to use these attacks to leapfrog into corporate networks where valuable data may exist.
The most amusing incidence is a parking kiosk that Darktrace says was hacked and then connected to an adult content website. The company says that none of the images actually appeared on the screen and seems confused as to what the reason for the hack was in the first place (we're willing to bet the answer is not more complicated than: because we can).
But dumb devices do represent potentially serious threats. The report details another incident where hackers connected to a range of internet-connected devices on a food assembly line – including blenders and slicers – in an effort to connect to the broader corporate network.
They were also apparently unsuccessful in that effort - Darktrace says thanks to its artificial intelligence software identifying the threat - but the story does detail the dangers that exist in a digital world where everything connects to the internet. It only takes a line manager to buy and plug in a new piece of kit and then type in the office's wireless password for a security hole to be opened up.
Internet of shit
As we have outlined in long and tedious detail in the past, companies that put out IoT devices or shove internet connections into updated product lines rarely consider security requirements and even more rarely update the firmware and software to keep up to date with security reports.
Such products are rarely updated, leaving potential security holes in place for years. And even if a manufacturer does allow software updates over the air, unless they lock that process down too, they risk making it easy for hackers to get into a system.
The report has another fun example: personal storage lockers at an "amusement park in North America." In this case, the smart lockers work with a third-party online platform that employees used to enter access codes. But hackers got into the system and used the locker codes to enter the third-party's system and steal data.
The report notes a gigabyte of data was sent out of the network that "could have included identifying details or sensitive credentials" and "had the potential to be transmitted over the internet entirely unprotected - giving the attackers ability to intercept the connections and use the information to breach the company's network defenses."
There are a range of other examples given in the report, all of which come with happy endings thanks to Darktrace's wonderful products and which are notable by the fact that the details are basically catnip for journalists like us who love a porn-on-the-kiosk tale. But there is a good underlying point: companies need to think a lot more strategically about their networks.
With the prevalence of devices that connect to the internet and the fact that, out of necessity, large number of employees have access to wireless passwords, it is crucial that sysadmins keep an eye on what is going on with their networks in case hackers find an effective backdoor.
There is no shortage of possible solutions of course. This report basically says it's time to push that meeting with senior management to look at buying some additional monitoring software. And what better than an amusing and worrying tale to bring it home to the suits? ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust