When we talk about ‘hacking’ your hardware, we mean unauthorized access and use of the device and data within it. That doesn’t necessarily mean repurposing or improving it - after all, we’re makers here at Adafruit and modifying off the shelf hardware is an engineer’s favorite pastime. So, for example, recycling a Bluetooth step counter into a doggy activity tracker is not hacking - but being able to access, read and modify that same step counter data without permission from the owner would be!
For IoT devices that connect to the internet, there are a few common reasons we see for compromising hardware. The first common type of hack is creating DDoS botnets, that is - for distributed denial of service attacks. DDoS attacks use several or even thousands of compromised or co-opted computers, also known as ‘bots’, to inundate an online service with coordinated data requests which overwhelm the target and take it offline.
This can be used as part of a revenge scheme - to punish a competitor, or as a protection racket, to demand money in exchange for calling off the attack. It’s popular because there are plenty of software packages to manage botnets, that means it doesn’t require a lot of skill to do.
As we mentioned earlier, the infamous Mirai malware infected thousands of IoT devices to turn them into launch platform for DDoS attacks. By automatically hacking into and taking over insecure IoT devices, the Mirai virus quickly spread through thousands of cameras connected to the internet, turning them into bots. Some time later, those bots were wielded in the DDos attack. Botnet-infected devices will have degraded performance, but are very hard to detect if you don't know what to look for.
With the proliferation of crypto-currency, some botnets are turned into crypto-farms, where your device is used to mine virtual cash. So far, this has been happening with hacked servers and desktop computers, but we’ll see this more as IoT devices become more powerful - some single board computers are now nearly desktop speed. If one is controlling thousands of them, it can add up. We suppose it’s better than attacking a third party, but that hashing software will make your device slow down and that could cause support issues when your customers are disappointed with the performance of your IoT product.
Botnet hacks are extremely common, but you’ll also see hacks that attempt to steal personal data - especially passwords and payment information. Without question, you should avoid having any way for your IoT device to interact with money, either sending or receiving, because that will make it a huge target. That goes extra if the money is untraceable such as cryptocurrency, because it's so easy to launder. Storing and managing credit card data is so incredibly dangerous that it’s beyond the scope of this video, suffice to say there are whole industries surrounding mandated PCI compliance, you will need to follow those rules if you want to process credit cards.
Usernames and passwords, if they’re extractable, are valuable on the black market - they’re used to try and log into other services with reused or shared login info, where money or compute resources may be available.
Finally, the user data, say how many steps they took per day, or video from wifi cameras, may be used to harass or abuse your customers. These sorts of hacks are sometimes one-at-a-time exposures, where a customer is tricked into giving someone their password, but sometimes an entire backend database will be downloaded! Having that data exposed will be devastating to your customers, and once your products are known as untrustworthy, its extremely hard to regain customer trust. So treat their data as if it were your own - which it kinda is.
Let’s take a closer look at the types of attacks that can be used to compromise IoT devices, so we know what to defend against.