Can a robotic vacuum cleaner steal your Bitcoin?

Imagine waking up one morning to find your robot vacuum on the fritz, your refrigerator asking you for ransom money and your crypto and bank accounts completely drained.

No, it’s not the plot of Stephen King’s trashy 1986 horror “Maximum Overdrive” (about a rogue comet that triggers a global outbreak of sentient killer machines).

Instead, it’s what could happen if hackers decided to infiltrate your PC through one of your home’s many smart devices, which is more likely now with an estimated 18.8 billion Internet of Things (IoT) devices globally and around 820,000 IoT attacks on average per day.

“Insecure IoT devices (e.g., routers) can serve as entry points to home networks,” Tao Pan, a researcher at blockchain security firm Beosin, tells Magazine.

As of 2023, the average US household had 21 devices connected to the internet, with a third of smart home device consumers reporting being the victim of a data breach or scam in the last 12 months.

“Once infiltrated, attackers can move laterally to access connected devices, including computers or mobile phones used for crypto transactions, and also can capture login credentials between devices and exchanges. This is especially risky for crypto owners using APIs for crypto trading,” he adds.

So, what exactly can hackers get their hands on around your home, and what damage can they do?

Magazine gathered some of the strangest things that have been hacked over the last few years, including one case where a door sensor was hacked to mine cryptocurrency. We’ve also gathered some tips to keep your data and crypto safe.

Hacking your coffee machine

In 2019, Martin Hron, a researcher at cybersecurity company Avast, wanted to show how easy it is for hackers to access your home’s network and its devices.

So, naturally, he remotely hacked his own coffee machine.

Hron explains that, like most smart devices, coffee makers come with default settings, and no passwords are needed to connect the device to WiFi, making it easy to upload malicious code into the machine.

“Many IoT devices first connect to your home network via their own WiFi network, which is intended to be used just to set up the machine. Ideally, consumers immediately protect that WiFi network with a password,” explains Hron.

“But many devices are sold without passwords to protect the WiFi network, and many consumers don’t add one,” he adds.

“I’m able to do whatever I want because I am able to replace the firmware, which is the software that operates the coffee maker. And I can replace it with whatever I want. I can add functionality, remove functionality and overcome security measures that are built in. So, I can do anything,” he said in a video posted by Avast.

In his example, Hron uses the coffee maker to display a ransom note that essentially bricks the device unless a ransom is paid.

You could just turn it off, but you’re guaranteed never to get a coffee again. (Avast/YouTube)

However, the coffee maker could be made to do more malicious things, like turning on its burner to create a fire hazard or spitting out boiling water if the victim doesn’t comply, for example.

But perhaps just as scarily, it could silently sit there as a gateway to your entire network — letting them spy on anything from bank account details, emails or crypto seed phrases.

Casino fish tank is compromised

One of the most famous cases happened in 2017, when cyberattackers transferred 10 gigabytes of data from a Las Vegas casino by compromising an internet-connected fish tank in the lobby.

The fish tank had sensors to regulate temperature, food and cleanliness, which were connected to a PC on the casino’s network. Hackers used the fish tank to move to other areas of the network, sending data to a remote server in Finland.

The fish tank could have looked something like this. (Muhammad Ayan Butt/Unsplash)

This was despite the casino having deployed typical firewalls and antivirus software. Luckily, the attack was quickly identified and dealt with.

“We stopped it straight away, and no damage was done,” cybersecurity firm Darktrace CEO Nicole Eagan told the BBC at the time, adding that the growing number of internet-connected devices meant “it is a hacker’s paradise out there.”

Door sensor that secretly mined crypto

Then, years later in 2020, when offices worldwide sat empty amid the COVID-19 pandemic, Darktrace discovered a secret crypto mining operation that exploited a server controlling an office’s biometric door access.

The cybersecurity firm identified the incident after the internet-facing server downloaded a suspicious executable from an external IP address that had never been seen on the network.

After downloading the file, the server repeatedly connected to external endpoints associated with mining pools for the privacy token Monero.

It’s called cryptojacking, and Microsoft’s Threat Intelligence team found more cases of it in 2023, with hackers targeting Linux systems and smart devices connected to the internet.

It found that threat actors would initiate the attack by attempting to brute force their way into internet-facing Linux and IoT devices. Once inside, they install a backdoor, which then allows them to download and run cryptomining malware, driving up electricity bills and sending all the proceeds to their wallets.

There have been many more cases of cryptojacking, with one of the most recent cases involving cryptojacking payloads embedded in fake 404 HTML pages.

Hack enough smart devices and kill the grid

On a more apocalyptic front, Princeton University security researchers have even once postulated that if hackers could get their hands on enough power-hungry devices, say, 210,000 air conditioners, and turned them on all at the same time, they could leave the equivalent of California’s population — 38 million people — suddenly out of power.

(Unsplash)

The devices would all have to be turned on in one part of the grid, which would overload the current on certain powerlines and either damage them enough or shut them down by triggering protective relays on those lines, which would put more load on the remaining ones, leading to even more strain on the grid and leading to a cascading effect.

However, it would need to be maliciously timed since these kinds of grid fluctuations happen often (like during a heatwave).

Your robot vacuum is watching you

Last year, several robot vacuums across the US started powering up on their own.

It turns out that hackers discovered a security flaw in a particular line of Chinese-made Ecovac robot vacuums.

Reports indicated that hackers could physically pilot the device, which they used to terrorize pets, use its onboard speakers to yell obscenities at users and even deploy its onboard camera to look around people’s homes.

Image from a live feed of a hacked Ecovac robot vacuum. (ABC News)

“A serious problem with IoT devices is that many vendors, sadly, still pay insufficient attention to security,” says cybersecurity firm Kaspersky.

Needless to say, video footage of you entering passwords or writing down seed phrases could be catastrophic in the wrong hands.

How to protect yourself from smart device hackers

So, you may be looking around your house and notice you have nearly everything connected to the internet — maybe a robot vacuum, a digital photoframe, a doorbell camera. How do you keep your Bitcoin safe?

One option is to take professional hacker Joe Grand’s approach: just don’t have any smart devices in your home.

“My phone is the smartest thing, and that’s even like, grudgingly, I have a phone because I use it, you know, for maps and communicating with my family,” he previously tells Magazine. “But no smart devices, no way.”

Hron from Avast says the best way is to ensure you set a password for your smart devices and never leave them on the default settings.

Other experts suggest using a guest network for IoT devices, especially if it’s a device that doesn’t actually need to be on the same network as your computer and phone, disconnecting the device when it’s not in use and keeping the software updated.

There’s even a search engine for internet-connected devices, which costs money, but allows you to see what devices you have connected to the internet and where there could be vulnerabilities.

Disclaimer:

1. This article is reprinted from [Cointelegraph]. All copyrights belong to the original author [Felix Ng]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.