Smart AND Secured? Think Again.

Part 1: Threats

How smart tangibles are susceptible to both edges of this blade, is yet to be fully understood, as this stands at the core of differentiation for companies like Apple, and conversely, weaponized - rightfully or not - by governments in their trade wars.

Table of Contents

• Introduction

• A Brief Introduction: The OSI Model

• Cybersecurity and the OSI Model

• OSI Model Adaptation to IoT

• Notorious Smart Products Cyber Attacks

• Further Reading

What Seems to be the Trouble?

A brief introduction: The OSI Model

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes the functions of a telecommunication or computing system into several abstract layers, where each serves specific tasks and communicates with its adjacent layers, enabling interoperable network communication across heterogeneous systems.

Developed in the late 1970's this model was specifically adapted for client-server computer networks, and proved suitable for the internet era and the reality of widespread personal computers connecting to remote servers, and later to cloud services.

Cybersecurity and the OSI Model

The layered structure of the OSI model also serves as a useful framework for understanding cybersecurity risks.

Each layer - from physical hardware to application logic - can be a vector for attack, and mitigation strategies are often layered accordingly, from firewalling at the network level to authentication and encryption at the application layer.

OSI Model Adaptation to IoT

Internet of Things (IoT) category of products introduces increased complexity as diversified hardware, connectivity, and interaction layers are introduced. This is captured in a slightly different OSI model, showing how devices, network infrastructure, protocols, and visualization tools interact in a layered stack - from raw hardware at the bottom to user-facing applications at the top.

Crucially, the IoT paradigm necessitates special attention to the hardware layer, as it consists of a vast variability of use cases, and to the application layer, as it is now split between the edge device and the web:

• Inputs (keyboards and mice give way to other input devices)

• Outputs (Screens vary wildly or are missing altogether)

• Energy supply (the default AC mains give way to PoE, batteries, solar...)

• Sensors and actuators (to some extent, the core purpose of this whole category)

• Application (split between the device, the cloud, and web interface)

Smart and (not) Secured: New Structures - New Threats

Looking at smart and IoT products and their version of OSI structure, it becomes clear that unique vulnerabilities emerge at the embodiments of the physical layer, as well as at the extension to the cloud and beyond.

Cyber attack vectors examples:

• Physical Layer:

  Tampering, side-channel attacks, sensor spoofing, power supply manipulation (battery draining, over-voltage), environmental sabotage (e.g., heat or vibration).

  
  

  BrickerBot

  
  

  • What happened: Malware known as BrickerBot forcibly disabled (“bricked”) IoT devices. It targeted poorly secured devices at the firmware/hardware level, executing malicious commands that destroyed storage and cut network access - aligning with physical-layer sabotage.

    
    

  • Smart elements exploited:  by exploiting open Telnet services and weak/default credentials

    
    

  • Impact: More than 2 million devices were bricked before it faded away in late 2017.
    

• Data Link:

  Eavesdropping on unencrypted RF signals (e.g., BLE, Zigbee), MAC spoofing, jamming, replay attacks over local wireless protocols.

  
  

  Tesla Keyless Entry App Hijack (2016-2024)

• 

  • What happened: Security researchers exploited flaws in Tesla’s keyless entry system via the app’s Bluetooth Low Energy (BLE) connection. Using a relay attack, they tricked the vehicle into thinking the authorized phone was nearby and gained unauthorized access.

    
    

  • Smart elements exploited: Exploit used BLE signal relay to trick the vehicle into unlocking, targeting weaknesses in BLE communication (MAC spoofing, signal replay).

    
    

  • Impact: Demonstrated how over-the-air convenience features can become physical vulnerabilities.

Flaws in Smart Locks (Various, 2016–2020)

• What happened: Bluetooth sniffing and weak BLE protocols exposed device control, a data link level failure.

• Smart elements exploited: BLE communication, cloud management interfaces, firmware updates.

• Impact: Erosion of consumer trust in smart home security products.

Coffee Shop MAC Spoofing

• What happened: Owners learned from their Internet Service Provider (ISP) that the spoofers were using the coffee shop’s network to Nmap scans.

• Smart elements exploited: Nmap scanning is a way to look for open ports on a network to gather information about the devices connected to that network.

  
  

• Network Layer:

  Address spoofing (e.g., IPv6-related), insecure mesh routing, location tracking via IP leaks, exposure from gateway misconfiguration.

  
  

  VPNFilter Botnet

  
  

  The VPNFilter malware infected over 500,000 home routers and NAS devices around the world. It could intercept and alter network traffic - corrupting packet routing and enabling espionage, with capabilities including address spoofing and network misconfiguration.
  

• Transport Layer:

  Exploitation of lightweight protocols (e.g., CoAP, MQTT) with limited handshake/authentication, man-in-the-middle (MITM) attacks on UDP-based communication.

  
  

  CoAP Amplification Attacks

  
  

  Research has revealed that IoT devices using CoAP (a UDP‑based protocol) can be weaponized for reflected DDoS. Attackers send tiny spoofed CoAP requests that trigger amplified responses, overloading targets - an exploit at the transport layer. CoAP-based DDoS attacks can involve tens to hundreds of thousands of compromised IoT devices, drawn from a global pool of over 580,000 known vulnerable endpoints. These attacks generate highly amplified traffic, often reaching volumes of several hundred gigabits per second. The resulting financial impact is comparable to other large-scale DDoS incidents, with potential losses exceeding $200,000 per attack depending on the target and duration.

  
  

• Session Layer:

  Session hijacking due to weak or absent session management in embedded systems, protocol downgrade attacks.
  

  FireSheep / DroidSheep

  
  

  Tools like FireSheep (for desktop) and DroidSheep (on Android) captured session cookies over unsecured Wi‑Fi, allowing attackers to hijack logged-in sessions. This is a textbook session hijacking attack at the session layer. Launched in October 2010, FireSheep was downloaded by approximately 200,000 users worldwide soon after release. Each person using it could target dozens of devices on the same network in public hotspots.

• Presentation:

  Malformed data injection in minimal-format environments, encoding exploits in constrained parsing modules.

  
  

  Ping of Death

Although not strictly IoT-specific, the ping-of-death attack sends oversized ICMP packets that overflow buffer-handling routines in networking stacks. It exemplifies malformed-packet attacks - presentation-layer exploits.

• Application:

  Unauthorized remote control, firmware over-the-air (FOTA) hijacking, malicious update injection, insecure API endpoints, data leakage from sensor payloads.

• It seems that this layer is more vulnerable than others, or at least easier to detect.

• Some Notorious cases:

  
  

  St. Jude Medical (Abbott) Pacemaker Vulnerabilities (2017)

Security researchers, followed by confirmation from the FDA, revealed that St. Jude’s pacemakers and defibrillators were vulnerable to remote hacking through their wireless telemetry systems. The core vulnerabilities lay in the firmware update mechanisms and remote monitoring features, which exposed insecure APIs and allowed unauthorized remote control. As a result, a major recall was issued, accompanied by a public awareness campaign that affected over 400,000 devices.

Jeep Cherokee Hack by Charlie Miller and Chris Valasek (2015)

Researchers demonstrated that the Jeep Cherokee’s Uconnect system could be exploited to gain full remote access to vehicle functions by targeting application-layer commands. The attack leveraged cellular connectivity, software update channels, and the integration between the infotainment system and critical vehicle controls. In response to the severity of the threat, Fiat Chrysler issued a recall affecting 1.4 million vehicles.

Mirai Botnet Attack on IoT Devices (2016)

The Mirai botnet attack exploited default login credentials in embedded, internet-facing devices to gain remote control at the application layer — a textbook case of poor security hygiene. These devices, often shipped with hardcoded or unchanged credentials, were easily hijacked and conscripted into a massive botnet. The resulting DDoS attack targeted DNS provider Dyn, disrupting major services like Twitter, Netflix, and Reddit, and also overwhelmed the security blog KrebsOnSecurity with a 620 Gbps traffic surge.

Ring Doorbell Camera Hacks (2019)

Attackers exploited weak passwords and the absence of two-factor authentication to hijack video feeds through the Ring app’s cloud APIs. This security gap allowed unauthorized access to users’ home camera systems, sparking public outrage. In response, Ring implemented mandatory 2FA and enhanced its security communication to rebuild user trust.

Nest Thermostat Ransom Attack (2019)

Nest users fell victim to credential stuffing attacks, where hackers used previously breached usernames and passwords to gain unauthorized access to their online accounts. This allowed attackers to remotely manipulate smart home devices, such as thermostats. In response, Google urged users to adopt stronger passwords and enabled two-factor authentication to mitigate future risks.

Read about mitigation in Part 2: Smart Product Cyber Threat Mitigation

Are you, too, considering security and privacy of your connected product users?...

Read more:

• This is a part of the Hardware is Hard blog series. You can read it online here.

• "Smart Tangibles", the book, is due 2026. You can read about it here.

Further reading:

• Federal Trade Commission Careful Connections: Keeping the Internet of Things Secure

  
  

• BrickerBot:

  • The Daily Swig IoT protocols are leaking data like sieves

  • Wikipedia BrickerBot

    
    

• VPN filter botnet

  • Hacker News Researchers unearth a huge botnet army of 500,000 hacked routers

• Coffee Shops MAC spoofing:

  • Stack Exchange MAC Address Spoofing: How It Works and How to Protect Yourself

• Tesla hacks:

  • The Guardian, Sep 2016: Team of hackers take remote control of Tesla Model S from 12 miles away

  • Auto Evolution, May 2024: Researchers Discover That Teslas Are Easy To Steal Despite Adopting New Keyless Tech

  • The Byte, Nov 2024: Teslas can be stolen by hijacking WiFi at charging stations, researchers find

  
  

• St Jude pacemaker hack:

  • American Heart Association Journals Nov 2018: Pacemaker Recall Highlights Security Concerns for Implantable Devices

  
  

• Jeep Cherokee Hack:

  • Wired Jul 2015: Hackers Remotely Kill a Jeep on the Highway - With Me in It

  
  

• Mirai Botnet Attack:

  • Tech Crunch Oct 2016: Hackers release source code for a powerful DDoS app called Mirai

  
  

• Ring Doorbell Camera Hacks:

  • ABC News, Dec 2019: Ring security camera hacks see homeowners subjected to racial abuse, ransom demands

  
  

• Flaws in Smart Locks:

  • The Verge Jul 2018: This fingerprint-verified padlock is extremely easy to hack

  • BGR Aug 2016: Researchers find ‘smart’ door locks are easy to hack, surprising no one

  
  

• Nest Thermostat Ransom Attack:

  • Trend Micro Sep 2019: Hacker Compromised Family’s Wi-Fi, Taunted Family With Thermostat, Camera for 24 Hours

• US ban on Huawei

  • U.S. Restrictions on Huawei Technologies: National Security, Foreign Policy, and Economic Interests

  • Huawei Says US Sanctions Will Reduce Revenue by $30 Billion

    
    

  • UK defence firms warn staff against connecting phones to Chinese-made EVs amid espionage fears