{"id":41627,"date":"2021-07-06T15:52:15","date_gmt":"2021-07-06T15:52:15","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/32441\/IoT-ICS-Armageddon-Hacking-Devices-Like-Theres-No-Tomorrow-Part-1.html"},"modified":"2021-07-06T15:52:15","modified_gmt":"2021-07-06T15:52:15","slug":"iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/","title":{"rendered":"IoT\/ICS Armageddon: Hacking Devices Like There&#8217;s No Tomorrow Part 1"},"content":{"rendered":"<p>In one of my many previous lives, I worked as principal penetration tester\/team leader in the OT area, verifying the full security of more than a dozen of IoT and ICS devices. Switching from IT to OT seemed to be an exciting step, but honestly I got bored pretty soon, and after one year and a half I retired. This is the story of the most ridiculous vulnerabilities I found and although the affected vendors cannot be mentioned due to NDA constraints, I believe the blog post can be still helpful, as it is still full of these crazy flaws out there.<\/p>\n<h2><strong>Why boring?<\/strong><\/h2>\n<p>The truth is that hacking OT devices wasn\u2019t challenging enough. Today, like five years ago, the security in the area is running 10\/15 years behind the traditional IT sector. In a few words:<\/p>\n<ul>\n<li>Almost no data encryption at all\u2026<\/li>\n<li>Weak authorization mechanisms\u2026<\/li>\n<li>Service misconfigurations everywhere.<\/li>\n<\/ul>\n<p>I can\u2019t remember a single project in which I was unable to achieve remote code execution, without considering the rest: a whole boat of all kinds of bugs and vulnerabilities. I saw literally no evolution of my skills\/career if I were to continue on that professional path.<\/p>\n<p>I must admit it! Meanwhile some people have made their fortunes by selling ICS\/IoT vulnerabilities to 0day programs and if I had today to give an advice, I would certainly suggest aspiring and novice bug bounty hunters to focus on this area. However, I continue to prefer targets more difficult to hack. This is a personal choice of course, not a universal truth. Somebody else can very well have fun with OT security. <\/p>\n<h2><strong>RCE everywhere<\/strong><\/h2>\n<p>RCE everywhere, I said. One of the many devices I tested, fallen into the so-called category of \u201cdata concentrator\u201d. Imagine the place where you live. Probably the electricity you consume is measured by a smart meter installed at your home. The same is for your neighbours. But how does the company sending the bill each month knows how much their customer must pay? Well, your smart meter communicates current consumption and other information to a data concentrator, normally via powerline communication (PLC) or some wireless system. As opposed to smart meters, a data concentrator is located outside of the user domain, usually into a cabin down the street where you live or under a bridge. This device collects the data received and transmits it (via GPRS or more modern units) to a central system in the operator\u2019s data center, where other steps, for example, traffic monitoring or billing, take place.<\/p>\n<p>As data concentrators are a bit more sophisticated than smart meters, these devices come with the necessary hardware to run a complete operating system (quite often Linux). It means some kind of configuration web interface is of course exposed, along with other network services.<\/p>\n<p>One day, me and a colleague were engaged to test one of these devices. We found that an undocumented <kbd>guest<\/kbd> user with default <kbd>guest<\/kbd> password could authenticate to the web admin interface (port 80) with read-only access rights. The presence of this undocumented user (of which there was no trace neither in the official documentation, nor somewhere else) proved to be enough to totally compromise the device itself.<\/p>\n<p>It was a classic old-school RCE. In the \u2018change password\u2019 page we just targeted a parameter (<kbd>password_text<\/kbd>) and placed our shell command after a single quote and a semicolon character (see screenshot below).<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"645\" height=\"114\" src=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding.png\" alt class=\"wp-image-1771\" srcset=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding.png 645w, https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-300x53.png 300w\" sizes=\"auto, (max-width: 645px) 100vw, 645px\"><\/figure>\n<p>Specifically we changed the password of the <kbd>admin<\/kbd> user because it was allowed to ssh into the device. While we analyzed more in depth the web interface of this data concentrator, it was noticed that the issue was systemic. To put it simply, every field where the attacker could insert their own input (regardless if GET or POST parameter) seemed injectable. So we decided to dig more in order to establish the root cause for this bug, which brought us to determine that the flaw was tied to an underlying <em>sanitization function<\/em> that failed to properly filter the user-supplied input<\/p>\n<p>Basically, in whatever place the application took user input, a function (partially-masked snippet below) inside a CGI script, was called first to process that input:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"645\" height=\"49\" src=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-1.png\" alt class=\"wp-image-1772\" srcset=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-1.png 645w, https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-1-300x23.png 300w\" sizes=\"auto, (max-width: 645px) 100vw, 645px\"><\/figure>\n<p>The function tried to delimitate the user input between two single quotes. If the URL-encoded representation of one or more single quote characters was present in the user input, the function tried to escape them. But as you know an attacker can bypass the browser and force the submission of single quote characters that are not URL-encoded. This allowed us to break the input string (along with the possibility to use a semicolon \u201c;\u201d) and inject characters interpreted as operating system commands. But there was another level of craziness in the function itself. The <kbd>eval()<\/kbd> instruction was invoked before the validation of the HTTP parameter\u2019s content occurred, which meant an attacker could remotely execute shell commands by providing whatever name as HTTP parameter \ud83d\ude00<\/p>\n<p>Exploiting command injections like these is not only something seen with IoT devices. Any web application can be vulnerable to this. We\u2019ll teach you how to find (and exploit) these bugs in modern web applications in our <a href=\"https:\/\/www.blackhat.com\/us-21\/training\/schedule\/#practical-web-application-hacking-advanced-221131617900958\" target=\"_blank\" rel=\"noreferrer noopener\">BlackHat course<\/a>.<\/p>\n<p>It was at that point we realized there was not even the need to authenticate as guest user to exploit this vulnerability. Just an EPIC FAIL of the vendor!<\/p>\n<h2><strong>An embarassing file disclosure bug<\/strong><\/h2>\n<p>Arbitrary file download is another class of vulnerabilities that web interfaces of data concentrators are commonly affected by. I remember a different device in which the web technology adopted was PHP. It was quite a weird and funny case. There was a function named <kbd>SanitizeCmdLine()<\/kbd> intended to remove evil characters from a user-supplied string before being executed. For example the pipe <kbd>\u201c|\u201d <\/kbd>character and the dot-dot <kbd>\u201c..\u201d<\/kbd> sequence were stripped out of the user input, if present, but a single dot <kbd>\u201c.\u201d<\/kbd> was not.<\/p>\n<p>In simple terms, inserting a pipe char in the middle of two dots (like this <kbd>\u201c.|.\u201d<\/kbd>) would have had the effect to produce, after sanitization, the sequence dot-dot <kbd>\u201c..\u201d<\/kbd><\/p>\n<p>But the function <kbd>SanitizeCmdLine()<\/kbd> was not recursive! So, there was not a second round of sanitization on the resulting dot-dot sequence. Therefore a string like this:<\/p>\n<p><kbd>.|.\/.|.\/.|.\/.|.\/.|.\/some\/file<\/kbd><\/p>\n<p>would have been transformed like this, after being \u201c<em>sanitized<\/em>\u201d:<\/p>\n<p><kbd>..\/..\/..\/..\/..\/some\/file<\/kbd><\/p>\n<p>For example, the effect of submitting the request below\u2026<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"355\" height=\"90\" src=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-2.png\" alt class=\"wp-image-1773\" srcset=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-2.png 355w, https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-2-300x76.png 300w\" sizes=\"auto, (max-width: 355px) 100vw, 355px\"><\/figure>\n<p>\u2026produced a server\u2019s reply that contained the full content of <kbd>\/etc\/passwd<\/kbd>:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"391\" height=\"238\" src=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-3.png\" alt class=\"wp-image-1774\" srcset=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-3.png 391w, https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-3-300x183.png 300w\" sizes=\"auto, (max-width: 391px) 100vw, 391px\"><\/figure>\n<p>Absolutely one of the most inventive and original ways to sanitize malicious input I have ever seen!<\/p>\n<h2><strong>The \u201cunhackable\u201d device<\/strong><\/h2>\n<p>After a series of successes in hacking IoT\/ICS devices, my boss came to me and said the next assignment would have been a tough one: the device to test (another data concentrator) was never hacked in the previous security checks the other companies had performed, and the vendor was of course very happy about that. Their products had the fame to be very secure in the market.<\/p>\n<p>The first bug I spotted was a simple arbitrary file delete vulnerability. Nothing exceptional yes, but it immediately gave me the feeling that the fame of this device was undeserved.<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"461\" height=\"85\" src=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-4.png\" alt class=\"wp-image-1775\" srcset=\"https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-4.png 461w, https:\/\/www.redtimmy.com\/wp-content\/uploads\/2021\/06\/afbeelding-4-300x55.png 300w\" sizes=\"auto, (max-width: 461px) 100vw, 461px\"><\/figure>\n<p>Soon I discovered the <kbd>action=delete<\/kbd> string in the screenshot above could be turned to <kbd>action=download<\/kbd>, which gave me a vanilla arbitrary file download primitive.<\/p>\n<p>The web console of the data concentrator implemented a feature that allowed a user to get a copy of log files for analysis and troubleshooting purposes, compressed in a zip archive. The archive itself replicated the same internal structure of the data concentrator\u2019s filesystem, which revealed the exact location where sensible resources were stored, like encryption keys, system logs, confidential database files containing electricity consumes with other user details, etc\u2026<\/p>\n<p>I could grab all these files with my vanilla arbitrary file download bug. Most importantly, inside a system log file, I spotted something like this:<\/p>\n<p>[\u2026]<\/p>\n<p>201x-0x-2x_15:59:22.42275 Installed and marked for start: reference:file:<strong>\/usr\/lib\/_scape\/jars\/BorderRouter.jar<\/strong> (id#23)<\/p>\n<p>201x-0x-2x_15:59:22.42526 #2: check reference:file:<strong>\/usr\/lib\/_scape\/jars\/CellularModemControl.jar<\/strong><\/p>\n<p>[\u2026]<\/p>\n<p>Now that I knew the location of the JAR files that implemented the web application logic, the consequential step was to get all of them (power of the file download bug found) and perform a quick internal code review. By previously walking over the web panel, I had noticed a function through which to configure a PPP tunnel with a remote destination. I decided to investigate the JAR related to that functionality.<\/p>\n<p>Basically, when a certain web form was filled up, the <kbd>StartPppd()<\/kbd> method of the class <kbd>PppConnection()<\/kbd> was invoked with some arbitrary input taken from the form itself, mainly a username and a password. The <kbd>StartPppd()<\/kbd> method was responsible to build the command string for the system binary <kbd>pppd<\/kbd>, something like this:<\/p>\n<p>pppd \/dev\/ttyS0 <em>connect<\/em> \u201cchat -v -s -E -f \/etc\/ppp\/chat-isp\u201d debug logfile \/tmp\/pppd.log [\u2026] user <strong>someuser<\/strong> password <strong>somepassword<\/strong><\/p>\n<p>The command string was subsequently executed to prepare and establish the PPP connection. You can see how the issue is evident here. As an attacker we are totally in control of \u201cuser\u201d and \u201cpassword\u201d parameters. We also know quotation marks are allowed in the user-supplied input.<\/p>\n<p>Additionally, there is a little trick. The option \u201cconnect\u201d can execute shell commands specified between quotation marks. If that option is repeated twice on \u201cpppd\u201d command line, the shell command the binary executes is the one related to the last instance found of the \u201cconnect\u201d option. So, in the specific case, it was enough to submit in the web form:<\/p>\n<ul>\n<li>as \u201c<kbd>user<\/kbd>\u201d parameter the string: <em>whatever<\/em><\/li>\n<li>as \u201c<kbd>password<\/kbd>\u201d parameter the string: <em>s connect \u201csudo \/bin\/touch \/tmp\/byebye\u201d<\/em><\/li>\n<\/ul>\n<p>After the form submission, the following \u201c<em>pppd<\/em>\u201d command was constructed:<\/p>\n<p>pppd \/dev\/ttyS0 <em>connect<\/em> \u201cchat -v -s -E -f \/etc\/ppp\/chat-isp\u201d debug logfile \/tmp\/pppd.log [\u2026] user <strong>whatever<\/strong> password <strong>s connect \u201csudo \/bin\/touch \/tmp\/byebye\u201d<\/strong><\/p>\n<p>When the string is finally passed to the shell interpreter, the command <kbd>sudo \/bin\/touch \/tmp\/byebye<\/kbd> is executed!<\/p>\n<p>$ <strong>ls -al \/tmp<\/strong><\/p>\n<p>[\u2026]<\/p>\n<p>-rw-r\u2014\u2013&nbsp;&nbsp;&nbsp; byebye&nbsp; <strong>root&nbsp;&nbsp;&nbsp; root&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/strong>0 Jun 17 14:12<\/p>\n<p>[\u2026]<\/p>\n<p>Well, it was the first RCE I spotted by doing code review of the collected JAR files. Potentially there were many more bugs of the same class, but the time I was assigned to for the investigation (1 week) was too short to bring up to the surface other issues. In any case, this assessment marked the end of the \u201c<em>unbeatability<\/em>\u201d of a device considered unhackable, until that moment.<\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>There is nothing more left for today, although we have many other stories related to hacking of IoT\/ICS devices that we would like to tell. So probably this will be just one of a series of blog posts about it, and we will see more from Red Timmy in the near future. In the meantime, don\u2019t forget to check out our <a href=\"https:\/\/www.blackhat.com\/us-21\/training\/schedule\/#practical-web-application-hacking-advanced-221131617900958\" target=\"_blank\" rel=\"noreferrer noopener\">BlackHat course<\/a> coming up, we\u2019ve got still some spots left!<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/32441\/IoT-ICS-Armageddon-Hacking-Devices-Like-Theres-No-Tomorrow-Part-1.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":41628,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[256],"class_list":["post-41627","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-packet-storm","tag-headlinehackerflaw"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>IoT\/ICS Armageddon: Hacking Devices Like There&#039;s No Tomorrow Part 1 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"IoT\/ICS Armageddon: Hacking Devices Like There&#039;s No Tomorrow Part 1 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-06T15:52:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"645\" \/>\n\t<meta property=\"og:image:height\" content=\"114\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"IoT\\\/ICS Armageddon: Hacking Devices Like There&#8217;s No Tomorrow Part 1\",\"datePublished\":\"2021-07-06T15:52:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/\"},\"wordCount\":1833,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png\",\"keywords\":[\"headline,hacker,flaw\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/\",\"name\":\"IoT\\\/ICS Armageddon: Hacking Devices Like There's No Tomorrow Part 1 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png\",\"datePublished\":\"2021-07-06T15:52:15+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/07\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png\",\"width\":645,\"height\":114},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackerflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"IoT\\\/ICS Armageddon: Hacking Devices Like There&#8217;s No Tomorrow Part 1\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"IoT\/ICS Armageddon: Hacking Devices Like There's No Tomorrow Part 1 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/","og_locale":"en_US","og_type":"article","og_title":"IoT\/ICS Armageddon: Hacking Devices Like There's No Tomorrow Part 1 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-07-06T15:52:15+00:00","og_image":[{"width":645,"height":114,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"IoT\/ICS Armageddon: Hacking Devices Like There&#8217;s No Tomorrow Part 1","datePublished":"2021-07-06T15:52:15+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/"},"wordCount":1833,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png","keywords":["headline,hacker,flaw"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/","url":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/","name":"IoT\/ICS Armageddon: Hacking Devices Like There's No Tomorrow Part 1 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png","datePublished":"2021-07-06T15:52:15+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/07\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1.png","width":645,"height":114},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/iot-ics-armageddon-hacking-devices-like-theres-no-tomorrow-part-1\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackerflaw\/"},{"@type":"ListItem","position":3,"name":"IoT\/ICS Armageddon: Hacking Devices Like There&#8217;s No Tomorrow Part 1"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41627","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=41627"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41627\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/41628"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=41627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=41627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=41627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}