Terrorists
While terrorists are known to focus on physical attacks to promote terror, it is only a matter of
time before they increasingly begin to leverage vulnerabilities in infrastructure accessible to
the Internet. One recent example of this was the 2013 attack against the New York Times,
Twitter, and the Huffington Post by supporters of the Syrian government called the Syrian
Electronic Army. The attackers were able to compromise the credentials used to set up DNS
records for the domain names of the websites to cause disruption of service.
Cyberterrorists will be drawn to the notion of leveraging IoT devices to promote fear and
disruption. Targeted attacks are likely to focus on individuals or families who are well known
so that the attacks will obtain maximum news coverage, thereby promoting fear. Life-
sustaining health devices such as pacemakers are increasingly configurable remotely and have
been demonstrated to be vulnerable to attacks.
The emergence of of smart cities, where similar technologies are used in tandem to
reduce resource consumption and promote well-being, are also going to be of interest to this
group. High-rise condominiums and homes that support the concept of smart cities are likely
to use the same hardware products to increase efficiency and interoperability. This means that
a known vulnerability in a remotely accessible IoT device can be leveraged across the city.
Such scenarios are likely to be abused by these threat agents to promote terror by causing
blackouts, locking or unlocking doors, controlling cars, and making fire alarms go off. It is
therefore crucial for designers to think through the motives of possible agents who could be
leveraging their devices.
For example, it is clear how important it is for IoT-based lighting system architects to con-
sider ways in which their systems might be targeted and used by malicious agents and to
design security proactively.
Criminal Organizations
Private criminal organizations have been known to be quite resourceful and sophisticated.
The primary motive of this type of agent is financial gain by stealing money or intellectual
property (which can be sold to the victim’s competitors).
In February 2015, the security firm Kaspersky announced that it had uncovered criminal
activity by an organization that was able to steal $1 billion from banks around the world by
infecting computers with malware. Banks targeted included ones in Russia, the US, Germany,
China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the
United Kingdom, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, the Czech Republic,
Switzerland, Brazil, Bulgaria, and Australia. The average attack yielded the criminals $10 mil-
lion. The thieves were even able to seize control of banks’ ATMs and order them to dispense
cash at a predetermined time.
Connected devices are fantastic targets for private criminal organizations because they
can help them gain a foothold into the target’s internal network. This access can be further
leveraged to attack workstations on the internal network to obtain access to intellectual prop-
218 CHAPTER 7: SECURE PROTOTYPING—LITTLEBITS AND CLOUDBIT