5 Ways IoT Device Hacks Burn Your Brand
What connects these three scenarios?
- A doll that spies on your children.
- A rogue cardiac monitor that could cause catastrophe.
- A thermometer that unlocks casino riches for ingenious thieves.
Yes, you guessed it: they’re all real-life events caused by IoT device hacks.
And perhaps you’ll be aware that failing to prioritize IoT device security from the initial design stages can cause severe reputational and financial damage to your brand.
Although, you might not quite realize how serious the consequences of IoT device hacking can be.
According to the University of California, Berkeley, a worst-case scenario IoT DDoS (distributed denial of service) attack lasting 50 hours could affect 600,000 devices and result in a total consumer resource cost of $68,146,558.13.
However, you’d be surprised how many brand product teams are blinded by their latest IoT device’s fabulous functionality ̶ and fail to guard against the attendant security risks of supercharged connectivity.
This blog post highlights 5 ways IoT hacks can burn your brand.
And how you can launch your pristine product with peace of mind.
If this sounds useful, let’s get started.
1. Heart hacks
As strange as it sounds, hearts can be hacked.
And two of the most notorious IoT device debacles of the past decade prove it.
The 2016 Owlet baby heart monitor hack revealed (at that time) the device ̶ a sensor worn in a baby’s sock that monitors the heart, reports irregularities wirelessly to a hub and alerts parents ̶ had security flaws exposing it to misuse.
The problem lay with the unencrypted wi-fi network connecting the sensor device to the base station, which could be accessed without authentication. This meant that hackers within range could interfere with the network, monitor babies and even prevent alerts reaching parents.
The following year, the FDA confirmed that St Jude Medical’s implantable cardiac devices also had inherent vulnerabilities that could allow hackers to access and control them.
No patients were harmed ̶ but considering that the devices were defibrillators and pacemakers used to prevent heart attacks, the possible consequences were devastating.
This particular problem was traced to a flaw that allowed hackers to control the devices by accessing their transmitters.
Simply put, brand reputational damage doesn’t get much worse than these two examples. The Owlet hack potentially put babies in mortal danger and the St Jude’s Medical device hack might have been fatal for vulnerable patients.
2. Hook, line, & sinker
You’ve heard of phishing. But how about hacking into a high-tech casino through its IoT fish tank?
It might seem reminiscent of a Hollywood heist movie, but this actually happened in 2018, when innovative cyber criminals placed a tampered thermostat in a lobby fish tank of a North American casino and stole 10 gigabytes of data.
The information in question included sensitive personal details of the casino’s high rollers list and something smelled fishy when the casino system sent suspect data to a remote server in Finland.
This hack was a huge embarrassment for a luxury brand targeting a wealthy clientele expecting discretion and privacy as standard. It might have compromised the personal safety of clients and exemplifies exactly why you shouldn’t gamble with IoT cybersecurity.
3. Not so smart TVs
Over the past couple of years, smart TVs have played an ever-important role in our home lives.
But if you’re developing this type of IoT technology, the hacking vulnerabilities of smart TVs are manifold and might make your target customers switch off forever.
A 2018 investigation by Consumer Reports revealed that millions of Samsung and TCL smart TVs, along with others compatible with the Roku-TV platform, could be infiltrated by anyone with a reasonably rudimentary knowledge of hacking.
The potential consequences?
A hacker could change your channel to something much less wholesome than the latest installment of America’s Got Talent, the TV volume may suddenly rocket to alarming levels, and data collected on your viewing preferences might be freely shared with third parties.
These are hardly the types of benefits any family-friendly tech brand would want to broadcast. A TV suddenly switching to adult material when children are present could expose them to harmful imagery and sudden changes in volume could alarm elderly family members. Further, viewing preference data could be exploited by third parties for commercial gain through marketing or blackmail.
4. Spy dolls
It’s not often that a kid’s doll is officially characterized as ‘illegal espionage apparatus’ by a government security agency.
But in 2017, that’s the fate that befell Cayla, a blonde poppet the German Bundesnetzagentur (Federal Network Agency overseeing communication) warned had dangerous security flaws.
The interactive IoT doll’s main ‘fun feature’ was searching the internet to answer any question a child asked. But by accessing its Wi-Fi, hackers could use its cameras and microphones illegally, steal ID information and potentially communicate directly with children, exposing them to untold dangers.
The Federal Network Agency went as far as urging parents to destroy the doll and this sorry tale takes brand nightmares to a new dimension.
Any child’s doll which could steal ID information from household members and potentially expose children to direct contact with strangers over the internet is poison for a brand. Imagine trying to market these ‘benefits’.
5. Open Circuit TV
Last but not least comes 2016’s massive Mirai Botnet (Dyn) attack.
In this highly-orchestrated DDoS attack, the Mirai Botnet (a group of IoT devices captured and remote-controlled through malware) affected at least 150,000 devices (some reports say up to 400,000), with a particular focus on CCTV systems.
Mirai spread like wildfire because it triggered infected computers to continually search the net for vulnerable IoT devices, using default passwords to log in. And huge swathes of iconic internet real estate disappeared into the ether, including the likes of Netflix, CNN, and Twitter.
The incident is a stark warning that businesses should improve their security by changing default passwords as standard practice, using one-of-a-kind passwords for every single IoT device, and ensuring devices are protected by the latest firmware and software updates.
Users may be ultimately responsible for best practice for passwords and updates, but if IoT brands make these measures mandatory, it could help prevent this type of cyber catastrophe.
Finding out that vulnerabilities in an IoT device designed by your brand contributed to one of the largest cyber attacks in history is a marketing nightmare of global proportions. The responsibility might be shared collectively, but it’s a heavy brand burden nonetheless.
Don’t be fooled that the types of IoT device hacks we’ve highlighted have been consigned to the history books.
Hacking remains a live threat and it often feels like cyber criminals upskill more rapidly than cybersecurity evolves to foil their plans.
But these key takeaways might help you avoid falling foul of hackers as you bring your IoT device to market:
- The conditions that cause ineffective IoT security can be cultural as well as technical.
You can mitigate against mistakes with smart moves like avoiding releasing the Minimum Viable Product (MVP), wherein your device is created and released rapidly with security as a low priority.
Secondly (as discussed) be aware that your customer can be your weakest cyber-security link. So don’t rely on them being as security conscious as you are and make requirements like changing default passwords mandatory.
Thirdly, choose your business partners wisely, because your uber-secure product might be compromised by a manufacturing or logistics partner who is asleep at the wheel.
- Implement proactive, holistic cybersecurity in all of your IoT devices.
Mainstream Security by Design (SBD) means that cybersecurity is prioritized in your device from its very inception and all aspects of its features, functionality and benefits are developed in tandem, minimizing the potential attack surface area.
But in a digital world plagued by ever-evolving cyber attacks, SBD is no longer enough. This traditional design philosophy must be updated with a robust, proactive, 24/7 cybersecurity solution like Firedome. It futureproofs your defenses by perpetually monitoring CPU and memory consumption for DDoS attacks and constantly tracks device traffic, domains, and IPs to block brute force attacks.
- Make sure that Cyber-as-a-Feature (CaaF) is central to your brand value proposition.
Perhaps your IoT brand marketing focuses on functionality, style and connectivity?
But build cybersecurity into your brand identity and you’ll simultaneously assuage customer fears about privacy, thus creating powerful and persuasive messaging.
Promoting IoT devices that make customers’ lives easier AND are super-safe is a brilliant benefits message which fosters customer trust and loyalty.
At Firedome, we can make sure that you’re as good as your word. Cyber-as-a-Feature is crucial to our core mission ̶ a message that customers hear loud and clear when they’re deciding whether to spend cash with you or your competitors.
Thanks for joining us on this journey through IoT device hacking and its insidious impact on brands.
Your IoT device should make peoples’ lives easier and generate profits for your business.
But customer privacy and safety could be a shining beacon that sets your brand apart.
If you’re ready for end-to-end 24/7 product security for your IoT device, let’s chat soon!