10 Ridiculous Things Hackers Have Controlled Remotely

We expect hackers to target bank accounts, servers, and databases—but sometimes, they hijack the strangest possible devices. As more everyday objects connect to the internet, the attack surface for cybercriminals keeps expanding in weird, unpredictable directions. From smart toilets to hotel lights, these hacks might sound like jokes—but they actually happened.

Here are 10 real-world cases where hackers took control of things they had absolutely no business controlling.

Related: Top 10 Times People Tried To Shut Down The Internet

10 A Billboard That Was Turned into Porn

In 2016, commuters in Jakarta, Indonesia, were stunned when a massive LED billboard on a busy street suddenly began broadcasting hardcore pornography during rush hour. The footage ran uninterrupted for several minutes before the power was finally cut. It turned out the billboard’s control system was connected to the internet with no password, allowing anyone with the IP address to upload whatever they wanted. The default login credentials were never changed by the advertising company, a mistake that opened the door to public humiliation on a massive scale.

The backlash was immediate. Several drivers reportedly got into accidents from being distracted by the footage, and the company operating the billboard faced criminal investigations for public indecency and negligence. The hackers were never caught, but the incident sparked similar copycat attacks in other countries. A few months later, a digital sign at a train station in Melbourne was hijacked to display “HACK THE PLANET” and a graphic meme. Digital signage has since been flagged by cybersecurity firms as one of the most overlooked attack surfaces in urban environments.^[1]

9 A Smart Thermostat in a British Home

In 2016, researchers from security firm Pen Test Partners found that a brand of smart thermostats commonly sold in the UK could be fully hijacked over Wi-Fi. Once connected, the hacker could push malicious firmware updates, effectively turning the thermostat into a local surveillance hub or a ransom tool. In a live demo, they showed how attackers could lock the temperature to 99°F (37°C) and demand a Bitcoin ransom to unlock the device.

The vulnerability stemmed from unencrypted communications between the thermostat and the cloud server, allowing man-in-the-middle attacks with minimal technical effort. Many of these thermostats were installed in nursing homes, low-income housing, and offices, meaning a successful attack could impact vulnerable or immobile populations. Though patched later, the vulnerability highlighted how small smart devices can create serious risks when networked into a larger home automation system—especially if users don’t change default settings or update their firmware.^[2]

8 A Tesla—Using Just a Drone

In 2021, cybersecurity researchers at Keen Security Lab demonstrated a proof-of-concept attack that allowed them to hack a Tesla Model X using a drone flying nearby. By exploiting vulnerabilities in the vehicle’s Wi-Fi stack and infotainment system, the researchers were able to perform a zero-click remote attack that gave them control over functions like doors, lights, seat adjustments, and even navigation—all without touching the car or the driver doing anything.

The exploit worked by hijacking Tesla’s Wi-Fi auto-join feature and delivering a malicious payload through a captive portal-style injection, a technique similar to what hackers use at fake airport Wi-Fi hotspots. The Tesla was lured into connecting to a rogue access point created by the drone, which pushed the malware into the vehicle’s head unit. Tesla later patched the vulnerability, but the attack showed how even the most secure smart cars can be manipulated from the air without physical contact. The research team emphasized that over-the-air software updates can both protect and expose cars in real time.^[3]

7 A Water Treatment Plant’s Chemicals

In February 2021, someone remotely accessed the control system of a water treatment facility in Oldsmar, Florida, and tried to raise the level of sodium hydroxide (lye) in the water by a factor of 100. Lye is normally used in small amounts to manage pH balance, but in large quantities, it becomes highly caustic and dangerous to human health. A plant operator happened to notice the mouse moving on his computer screen without his input and watched in real time as the settings were altered.

Fortunately, the operator quickly reversed the change, releasing no contaminated water. Investigators later found that the breach occurred through TeamViewer, a remote desktop app used for system maintenance. The system had no firewall, reused passwords, and was connected directly to the internet—violations of basic cybersecurity hygiene. The attack triggered federal investigations and raised alarms about how many small-town utilities are still running under-secured critical infrastructure, often with outdated software and minimal oversight.^[4]

6 Hotel Door Locks Around the World

In 2012, security researcher Cody Brocious presented a simple but devastating vulnerability in Onity keycard locks, which were used in millions of hotel rooms worldwide. By using a $50 homemade device—a modified Arduino plugged into the lock’s DC jack—he was able to dump the lock’s memory and open the door in seconds. The issue? The locks accepted unverified firmware commands from anyone who could plug into them, and the encryption was practically nonexistent.

After the talk, burglars began using the method to rob hotel rooms without leaving signs of forced entry. One case in Houston involved a thief looting multiple rooms in a single night. Onity provided a fix but required hardware replacement, which many hotels refused to pay for, leaving rooms vulnerable for years. This hack became one of the most cited examples of how physical security failures can stem from cheap digital shortcuts and how public proof-of-concept hacks can inspire real-world crime if vendors drag their feet.^[5]

5 An Amusement Park Ride

In 2008, a 14-year-old Polish teenager used a hacked TV remote to manipulate public tram systems in the city of Łódź. By reverse-engineering the infrared signals used to control track switching, he was able to redirect trams in real time. Eventually, he caused one to derail, injuring twelve people and earning headlines that labeled him a “railway hacker.” Though not an amusement park ride in the traditional sense, the implications applied—the entire system was running on unencrypted, unauthenticated signals, controllable by an off-the-shelf remote and some clever programming.

The incident exposed glaring flaws in industrial control systems that extended beyond Poland. Many urban tram and amusement systems rely on outdated command protocols, often relying on legacy IR or radio frequency commands with no encryption. After the arrest, investigators found the teen’s homemade command console, complete with red and green LEDs, built to mimic what he had seen train staff using. Cybersecurity analysts later warned that the same attack method could be used on aging amusement rides, especially those with remote maintenance override systems accessible wirelessly.^[6]

4 A Smart Toilet’s Bidet and Flushing System

LIXIL’s Satis-brand smart toilets—retailing for up to $4,000—offered luxury features like heated seats, automated bidets, mood lighting, music, and deodorizing sprays, all controllable via a smartphone app. But in 2013, researchers at Trustwave discovered the My Satis app had a hard-coded Bluetooth PIN: “0000,” used across all models. This meant anyone within Bluetooth range could pair with the toilet and control its features, including flushing it repeatedly or activating the bidet unexpectedly.

While the idea of prank-flushing toilets might sound comedic, experts highlighted real dangers: elderly or disabled users could be seriously affected by sudden sprays or mechanical seat movement. Some units were installed in executive offices and luxury hotels, turning a joke into a potential privacy breach. It was also a case study of poor IoT security practices, showing how even high-end devices can overlook basic protections like unique passwords or secure pairing, especially when physical access seems unlikely.^[7]

3 A Smart Fish Tank in a Casino

In one of the strangest breaches ever made public, hackers in 2017 used a smart fish tank to gain access to a North American casino’s internal systems. The tank featured internet-connected sensors that regulated temperature and feeding schedules. However, the tank’s monitoring system was connected to the main network without proper segmentation. Hackers exploited the unsecured connection to move laterally through the casino’s infrastructure, eventually exfiltrating about 10 GB of data before being detected.

The breach was reported by cybersecurity firm Darktrace, though the casino’s identity remains confidential. The event became a notorious example of “shadow IoT” risks—internet-connected devices that exist for convenience or aesthetic value but aren’t hardened for security. Fish tanks, vending machines, and even connected coffee makers have since been cited as soft points of entry in corporate environments. The aquarium was installed in a VIP area, further compounding the risk since high-roller data was likely accessible once the attackers breached the main servers.^[8]

2 A Hotel Room’s Lights, TV, and Curtains

In 2014, cybersecurity consultant Jesus Molina uncovered a significant vulnerability at the St. Regis Shenzhen, a luxury hotel in China. During his stay, Molina discovered that the hotel’s in-room iPads, provided to guests for controlling lights, curtains, televisions, and thermostats, communicated over an unsecured network using the KNX/IP protocol—a system lacking encryption or authentication. By analyzing the network traffic, Molina found that it was possible to intercept and replay commands, effectively allowing unauthorized control over the amenities in more than 200 rooms. He demonstrated the ability to manipulate devices in other guests’ rooms, such as turning lights on and off or adjusting the television settings, all without their knowledge.

Molina presented his findings at the Black Hat security conference, highlighting the risks associated with integrating Internet of Things (IoT) devices in hospitality without robust security measures. The St. Regis Shenzhen responded by temporarily suspending the iPad control system for upgrades. This incident underscored the broader implications of IoT vulnerabilities in hotel environments, emphasizing the need for stringent security protocols in smart building automation systems.^[9]

1 A Jeep Driving on the Highway

In one of the most jaw-dropping security demonstrations ever filmed, cybersecurity researchers Charlie Miller and Chris Valasek remotely hacked a 2014 Jeep Cherokee while it was being driven on the highway. Using a vulnerability in the Uconnect system, which had cellular connectivity, they were able to access the vehicle’s internal network, cutting the transmission, blasting the air conditioning, turning the radio to full volume, and even disabling the brakes—all while the car was moving at 70 mph with a Wired journalist behind the wheel.

The exploit worked through a zero-day vulnerability in the head unit’s software, which wasn’t properly sandboxed from critical systems like steering and acceleration. The researchers initially tested their attack in a parking lot, but the high-speed demo created national headlines. The resulting fallout forced Fiat Chrysler to recall 1.4 million vehicles—the first-ever mass recall triggered by a cyber vulnerability. It also spurred a wave of automotive cybersecurity legislation. It permanently changed how regulators and manufacturers view the risks of connected vehicles.^[10]