Following part I of the blog series that describes the security problems in IoT, here is the second part of the series that explains technically how the information stolen from IoT users can be monetized.
The IoT security challenges described in part I give rise to unprecedented risks. Mischievous parties could remotely trigger havoc inside an IoT user’s physical environment: Burning down houses by hacking microwave ovens, or remotely turning off home security systems, or for the sake of fun, just causing devices to work in an irregular manner. These are just a few examples of IoT hacking which can be used by cyber criminals. The possibilities are endless, almost left to one’s imagination.
The associated risks would also extend to the internet used by the common man. On a daily basis, websites already violate user privacy by tracking a user’s activity: what you search for, what links you click on, what websites you visit; this valuable data can be sold off to commercial companies. These companies, in turn, use analytics to build user profiles to serve targeted ads to their audience. However, with the data generated by IoT products, these profiles would contain not only cyber-activity logs but also physical activity data for the user. A person using a pacemaker could now be targeted by insurance companies with specific schemes, even though he/she wouldn’t like others to know about their medical condition.
On the Dark Internet, a major chunk of content is based upon selling stolen credit card information and user credentials. The Dark Internet provides services for DDoS attacks and hacking accounts/websites for a fee. With the increasing adoption of IoT, we might see the rise of a new kind of data on these sites. Data stolen from IoT products would provide an entirely new set of data to be used for malicious purposes. There could be malware and viruses written specifically for IoT products which may go on to cause physical damage to life and property. Consider a botnet, capable of infecting a pacemaker device. It requires only a single command to cause irregularities in the pacemaker’s functionality thereby giving malicious parties the nefarious power to carry out mass murder.
We, as a security concern, believe that industry can definitely reduce the risks associated in using IoT devices by tackling the afore-mentioned known security problems in the IoT ecosystem at different stages such as manufacturing and custom-designed security quality assurance testing to ensure the maximum security of the IoT devices at the software level, up until the device reaches the user.
Priyal Viroja, Vulnerability Researcher, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader: https://labs.k7computing.com/feed/