Security & Compliance Blog

Hacking the Internet of Things – It’s as Simple as ABC

Bev Robb
4 minute read
Bev Robb

Gartner estimates that 8.4 billion connected things will be in use worldwide this year, up 31% from 2016, and will reach 20.4 billion by 2020.

The Internet of Things is replete with cars, electronic appliances, heating and lighting systems, medical devices, pipelines, power meters, printers, sensors, routers, security systems, smart cities, smart TV’s, SCADA systems, traffic lights, vending machines, wearables, webcams and other devices.

Webopedia defines The Internet of Things as an “ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.”

Hacking IoT

It’s incredibly easy to hack IoT devices that use default passwords. As an example: who can forget last year’s Mirai botnet attack? A botnet that was specifically designed to scan the Internet for poorly secured devices (using a list of more than 60 combinations of usernames and passwords). This particular botnet was able to gain access to 380,000 vulnerable devices—simple as A, B, C.

Shodan Search Engine

Shodan is the world’s first IoT search engine for internet-connected devices. It crawls the internet 24-hours a day, and has servers located all over the world. Shodan can find electric grids, smart refrigerators, animal trackers and wind farms too.

Shodan was once touted as the scariest search engine on the internet: “What’s really noteworthy about Shodan’s ability to find all of this — and what makes Shodan so scary — is that very few of those devices have any kind of security built into them.” wrote CNN’s David Goldman.

Herein lies the problem—all these insecure devices can easily become an entry point for hackers and cybercriminals. As of this writing—there are over 75,000 devices with default passwords on Shodan.

Fortunately, for the 75,000+ devices that harbor default passwords—Shodan limits search results so that the search engine can’t be exploited for nefarious purposes.

MQTT attacks

MQTT (Message Queuing Telemetry Transport) is a publish/subscribe messaging protocol for constrained Internet of Things devices and low-bandwidth, high-latency or unreliable networks.

While scanning the internet last year, security researcher Lucas Lundgren found almost 60,000 (open to attack) IoT servers using MQTT on the public Internet (with no authentication and no encrypted communication.) Lundgren’s findings were revealed last August at DEF CON. His discovery included hospital communications, messaging apps, prison controls, shipment tracking systems, and potential satellite communication systems.

CSO recently reported “The insecure implementation of the MQTT (Message Queue Telemetry Transport) protocol, an Oasis standard for IoT communication, by many IoT product vendors is contributing to the high risk of IoT devices on enterprise and home networks.”

Are your IoT devices secured?

Don’t wait for the next IoT attack to claim the “victim” card. The time to implement a plan for all your IoT devices is now. Today is what counts because tomorrow may be too late.

When I was a child, I broke the same collarbone (within a four year span) three times. Each time my collarbone broke was due to a case of careless and reckless ice skating. With each break, I remember lying on the ice—thinking . . . “this isn’t really happening to me.”

I would always close my eyes as tightly as I could—fervently wishing while wistfully hoping that when I opened my eyes again—the bone would be magically healed and the excruciating pain would disappear.

Of course, that scenario could only happen within the context of a fairy tale.

After the third break, I realized it was time to put my ice skates away—permanently.

Cybercriminals have no intention of making any exploit or vulnerability that resides between you and them into a gentle “fairy tale” ride. You will never come out of a hacked device sitting in the winners circle. Bad actors will always maintain the upper edge. It’s what you do during the interim (to protect your IoT devices) that will eventually shield or expose you. Though you can’t stop all potential hacks—you can certainly strengthen the fortress before they trample the moat.

Take action now

Take the time to do the research on any IoT device you plan to introduce to your home or business network. Pay attention to the company brand, reviews, and potential security vulnerabilities.

Find out how to secure all IoT devices connected to your home or business network.

Use an IoT scanner to take inventory of the devices that are currently attached to your network.

Here are two scanners that I recommend:


Year after year, IoT devices continue to grow exponentially. Even though history reveals the dark side of what can and has occurred when devices are not secured—IoT still has a long way to go baby, before device developers and manufactures build security from the ground up.

“The one thing we know about IoT— largely based on other embedded systems like WiFi access points and cable modems—is that once the system is shipped, there’s nearly zero chance that it will be updated.”Newsweek

The land of IoT is the wild, wild West.

Dummies Guide to Security Operations

When security and operations teams collaborate closely, they can protect your business more effectively against all kinds of threats. Learn more in the SecOps For Dummies guide.

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing

BMC Bring the A-Game

From core to cloud to edge, BMC delivers the software and services that enable nearly 10,000 global customers, including 84% of the Forbes Global 100, to thrive in their ongoing evolution to an Autonomous Digital Enterprise.
Learn more about BMC ›

About the author

Bev Robb

Bev Robb

Bev Robb is a freelance writer/editor/social media manager and “thought leader” for information security. Previously, she wrote security articles for Dell Powermore and was the Fortscale Security Technology Editor and Publication Manager for Norse Corporation. She has a B.S. in Sociology from Southern Oregon University. A computer security/Internet consultant for 20+ years, she started her digital life on the Internet before the advent of the Mosaic browser.