Some clever hackers found new ways to use the smart devices surrounding us, according to a report published last week by UK-based cyber-defense company Darktrace.
The report, entitled the Darktrace Global Threat Report 2017, contains nine case studies from hacks investigated by Darktrace, among which two detail cyber-incidents caused by IoT devices.
In one of these case studies, Darktrace experts reveal how an unknown hacker had hijacked the smart drawing pads used at an architectural firm to carry out DDoS attacks as part of an IoT botnet.
The hacker had used the default login credentials that came with the design pad software to take over the devices, which the architectural firm had connected to its internal WiFi network, and was exposing to external connections.
"An attacker scanning the internet identified the vulnerable smart drawing pads and exploited them to send vast volumes of data to many websites around the world owned by entertainment companies, design companies, and government bodies," the report reads. "Involvement in the attack could have legal implications for the firm had their infrastructure been responsible for damaging another network."
Another case where attackers leveraged a smart device was at a North American casino. Darktrace says that an unknown hacker had managed to take over a smart fish tank the casino had installed at its premises for the enjoyment of its guests.
In spite of the fact that the fish tank was installed on its own VPN, isolated from the rest of the casino's network, the hacker managed to break through to the mainframe and steal data from the organization.
"The data was being transferred to a device in Finland," says Darktrace. "No other company device had communicated with this external location."
"No other company device was sending a comparable amount of outbound data," experts added. "Communications took place on a protocol normally associated with audio and video."
In total, the hacker managed to steal over 10GB of data by siphoning it off via the IoT fish tank.
Other hacking scenarios detailed in the Darktrace report include the case of a US insurance company who had its servers hijacked by a cryptocurrency miner, and several cases of insider threats, companies hacked by former or current employees.
Image credits: Darktrace