Smart robotic vacuum cleaners and other smart home devices are easily hacked and used to record your passwords or seed phrase.
Article by: Felix Ng
Article source: TechFlow TechFlow
Imagine waking up one morning to find your robot vacuum malfunctioning, your refrigerator demanding a ransom, and your cryptocurrency and bank account funds wiped out.
This is not a scene from Stephen King's 1986 horror film, Maximum Overdrive, which tells the story of a wandering comet that triggers a global machine-killing frenzy.
Conversely, consider the real risks that could arise if hackers compromise your computer through smart devices in your home. With the number of Internet of Things (IoT) devices worldwide projected to reach 18.8 billion, and an average of approximately 820,000 IoT attacks occurring daily, the likelihood of such a scenario is increasing.
“Insecure IoT devices (such as routers) can become entry points for intrusions into home networks,” said Tao Pan, a researcher at blockchain security company Beosin, in an interview.
As of 2023, the average American household owned 21 connected devices, and one-third of smart home device consumers had experienced data breaches or scams in the past 12 months.
“Once compromised, attackers can move laterally to access connected devices, including computers or phones used for cryptocurrency trading, and can also capture login credentials between the device and the exchange. This is especially dangerous for users who use APIs for cryptocurrency trading,” he added.
So, what information can hackers actually steal from your home, and what damage can they cause?
Magazine has compiled some of the most bizarre hacking incidents of the past few years, including a case where access control sensors were compromised to mine cryptocurrency. We've also compiled some practical tips for protecting data and cryptocurrency security.
Invading the coffee machine
In 2019, Martin Hron, a researcher at the cybersecurity company Avast, demonstrated how hackers could easily access home networks and their devices.
He chose a simple target: remotely hacking into his own coffee machine.
Hron explained that, like most smart devices, the coffee machine has default settings that allow it to connect to Wi-Fi without a password, making it easy to upload malicious code into the machine.
“Many IoT devices initially connect to the home network via their own Wi-Fi network, which is used solely for device setup. Ideally, consumers would immediately password-protect that Wi-Fi network,” Hron explained.
“But many devices don’t come with a password to protect the WiFi network, and many consumers don’t set one either,” he added.
“I can do whatever I want because I can replace the firmware, which is the software that operates the coffee machine. And I can replace it with anything I want. I can add features, remove features, and even break the built-in security measures. So, I can do whatever I want,” he said in a video posted on Avast.
In his demonstration, Hron displayed a ransom note through a coffee machine, indicating that the device was locked and unusable unless a ransom was paid.
However, besides displaying ransom notes, coffee machines can also be used to perform more malicious acts, such as turning on the heater to create a fire hazard or spraying boiling water to threaten victims.
Even more frightening is that it could quietly become an entry point into the entire network, allowing hackers to monitor your bank account information, emails, and even encrypted seed phrase.
Hacking into casino fish tanks
One of the most famous cases occurred in 2017 when hackers, through a well-known incident, transferred 10GB of data by hacking into a networked fish tank in the lobby of a Las Vegas casino.
The fish tank was equipped with sensors for regulating temperature, feeding, and cleaning; these sensors were connected to a computer on the casino's network. Hackers used the fish tank to access other areas of the network and send data to a remote server in Finland.
Despite the casino having deployed standard firewalls and antivirus software, the attack was still successful. Fortunately, the attack was quickly identified and dealt with.
Nicole Eagan, CEO of cybersecurity firm Darktrace, told the BBC at the time: “We blocked it immediately without causing any damage.” She added that the ever-increasing number of internet-connected devices meant that “it’s a hacker’s paradise.”
Door sensors can also be used for clandestine mining.
In 2020, amidst offices closed due to the COVID-19 pandemic around the world, cybersecurity firm Darktrace uncovered a clandestine cryptocurrency mining operation—hackers were using servers controlling office biometric access to conduct illegal mining.
The incident was triggered by a server downloading a suspicious executable file from an external IP address that had never appeared on the network before. Subsequently, the server repeatedly connected to external endpoints associated with a Monero mining pool.
This type of attack is known as "cryptojacking," and Microsoft's threat intelligence team discovered more cases of this type of attack in 2023, with hackers targeting Linux systems and smart devices connected to the internet.
A Microsoft investigation has revealed that attackers launch attacks by brute-forcing Linux and IoT devices connected to the internet. Once on the network, they install backdoors, then download and run cryptocurrency mining malware. This not only causes electricity bills to skyrocket but also transfers all mining profits directly to the hackers' wallets.
Cases of this kind of cryptojacking are emerging one after another, with one recent case involving embedding cryptojacking code into a fake 404 HTML page.
Hacking into Smart Devices: Destroying the Power Grid
Even more alarming, security researchers at Princeton University have proposed a hypothesis: if hackers could control enough high-energy-consuming devices, such as 210,000 air conditioners, and turn them on simultaneously, it could cause a sudden power outage equivalent to the population of California—approximately 38 million people.
These devices need to be concentrated on a specific section of the power grid and simultaneously activated, causing current overload on certain power lines. This damages or triggers protective relays on those lines, causing them to shut down. The load is then shifted to the remaining lines, further increasing pressure on the grid and ultimately triggering a chain reaction.
However, this requires precise timing of malicious attacks, as power grid fluctuations are common during extreme weather events such as heat waves.
The robot vacuum is watching you.
Last year, robotic vacuum cleaners in many parts of the United States suddenly started turning on their own. It turned out that hackers had discovered a serious security vulnerability in an Ecovac robotic vacuum cleaner made in China.
According to reports, hackers can remotely control these devices to scare pets, shout profanities at users through built-in speakers, and even use built-in cameras to spy on users' home environments.
“A serious problem with IoT devices is that many manufacturers still don’t pay enough attention to security,” said cybersecurity firm Kaspersky.
It is obvious that if hackers obtain video footage of you entering your password or recording seed phrase, the consequences would be unimaginable.
How can I protect myself from hackers targeting smart devices?
Looking around, you might find that almost every device in your home is connected to the internet—a robot vacuum, a digital photo frame, a doorbell camera. So how can you keep your Bitcoin safe?
One option is to adopt the approach of professional hacker Joe Grand: completely avoid using any smart devices.
“My phone is the smartest device in the house, but even so, I’m reluctant to use it, just for navigation and communicating with my family,” he once told Magazine. “But smart devices? Absolutely not.”
Avast's Hron suggests that the best approach is to ensure that smart devices have passwords and avoid using default settings.
Other experts recommend using a separate guest network for IoT devices, especially those that do not need to share a network with computers and mobile phones; disconnecting devices when not in use; and keeping the software up-to-date.
In addition, there is a paid online search engine that can help users check their home's connected devices and potential vulnerabilities.
