This article expands on the attacks we are already familiar with; the takeover of household IoT devices to generate denial of service attacks or monitor the household. It is likely that as IoT devices become the source of product acquisition and payment, criminals will discover new ways to attack that directly steals products or funds.
Mobile devices already suffer from attacks implemented during the provisioning process and remain vulnerable to SIM attacks. Criminals may find it profitable to take over the IoT devices identity so that any purchases the criminal makes are directed back to the IoT devices original owner and account.
This article focuses on network security practices and also touches on device software security, but forgets to mention that many IoT device manufacturers often upgrade manufactured devices frequently and then declare all other products have reached their end-of-life and will no longer be upgraded:
“IoT devices’ relative cyber weakness is due to several factors. First, IoT devices often have specialized operating systems. Unlike desktop or server OSes, these systems are less widely supported and not as well-understood by security professionals and the IT world at large. This means security flaws will be found less frequently and the patches for those vulnerabilities will be offered less often—sometimes not even at all. And even when patches are available for IoT devices, they may not be installed in a timely manner. There is no “Patch Wednesday” for IoT devices and unless someone carefully follows the vendor’s advisories, they may not be aware a patch exists at all. And just because a company’s security staff is aware their devices need patching, management might not be in a hurry to do it; if it requires taking key production equipment offline, that could cause pushback on update windows. Updates for IoT devices are often trumped by the steady need for patches on mainstream devices. So this can cause a dangerous stew of conditions, with IoT devices being ripe for exploitation from anyone who comes onto the network, including your third-party vendors.”
Overview provided by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group.