Understanding IoT Vulnerabilities: SQL injection or Hackers Can Hit Connected Things with Tricky Requests

Cyber-intruders don’t always need complex methods to compromise devices on your home network. Sometimes, reaching critical information is just a matter of asking for it in the right way, which can basically be an SQL injection.

Despite the complicated name, SQL (Structured Query Language) is just a way to handle entries in a database, which can be accessed through a web interface (think of the administrative panels for most connected things). A hacker wants to tap into databases that hold sensitive data like usernames, passwords and permissions, and alter or use them to gain a foothold in your virtual perimeter. This, in turn, could bring them closer to accessing other connected devices and, ultimately, taking over the entire network.

An SQL injection attack works when the hacker impersonates a user who is allowed to execute a limited set of requests: the attacker inputs a valid request and mixes in new instructions that also get executed. This could be compared to a robot tasked to manage merchandise in a sealed room. Although it can do more, the robot’s purpose is to execute a specific set of actions, such as moving boxes, getting them out and in or showing an inventory of the storage room. However, if a user injects a request to smash things up, the robot won’t know the difference and will obey the command.

The risks associated with this type of attack are serious; hackers could trick a web application to allow authentication without a valid password, delete and add other users or change their access level. Once hackers get into your network, they have an array of choices to make money off your data.

Removing the possibility of SQL injection altogether from a web application is a task for its developer. Although you don’t have any power to fix the problem, knowing about it could at least prompt some action from your part to protect your data. If the vulnerability is present in an Internet of Things device on the network and it has been publicly disclosed, Bitdefender Home Scanner will push an alert for it on the desktop, allowing you to determine what to do next.

An advanced solution that can also protect the devices on the network is Bitdefender BOX, a minimalist design security application that inspects traffic in and out of the home network, and ends connections to or from ill-reputed domains.

The recommendation from security experts is to keep an eye out for any firmware updates becoming available for the connected things on your network and install them without delay. Alternative defenses are good, but in this case a few changes to the application’s code produce better results.