Gartner tells us that 6.4 billion internet connected devices were in use worldwide in 2016, and that figure will reach 20.8 billion by 2020. That equates to nearly 10 million new devices being connected every single day for the next 4 years, massively expanding the potential attack surface of unsecured devices. As these devices proliferate, we must consider the vulnerability of the devices and the veracity of the data they generate.An insecure IoT device connected to a corporate network is just another computer that can offer a point of ingress for attackers. Once compromised, an attacker can use an IoT device to gather information from the network or launch attacks against other systems. However, unlike most networked computers, the Internet of Things device is unlikely to have anti-virus software or security software installed on it. This means that an attacker can lurk there for extended periods with little risk of discovery. Criminals are aware of the opportunities posed by the IoT. They have “recruited” poorly secured IoT devices to form the Mirai botnet, which launched the largest denial of service (DoS) attack in history, using the stolen computing power and Internet connectivity of insecure devices to disrupt services offered by Twitter, Paypal, Spotify and other sites off and on over an entire day. Criminals have also compromised vulnerable digital video recorders used in closed-circuit television (CCTV) systems. Not to wipe incriminating video surveillance footage, but to install malware to steal processing capacity and use it to mine bitcoins in order to make money.Not only may the devices themselves be vulnerable, but the systems that use data collected from Internet of Things devices can be leveraged to conduct some interesting attacks. For example, a team of Israeli researchers discovered that they could fool traffic information systems into believing that there was a fake traffic jam by spoofing traffic data from bogus IoT devices.

Insecure Internet of Things devices that interact with the physical world can be compromised to alter their function. For example, electronic hotel locks allow visitors to use keycards to access their rooms. However, the communications port on these devices can be hacked to take advantage of inadequate security features on the lock to allow anyone with the necessary knowledge to open the door without a key.

Even unlikely items such as toys and homeware can be considered as IoT devices, and found to include network vulnerabilities. Hackers can compromise a connected Barbie to spy on you, and subvert baby monitors to monitor you and your children. You can even be “watched” through your Smart TV.