contains an accelerometer that can be used to detect if it has been captured by a third party. In
that case, Snoopy can be configured to self-destruct by erasing the contents of the hard drive
on the computer attached to the drone.
With researchers being able to demonstrate how UAVs can be leveraged to track people by
capturing signals from smartphones and potentially life-sustaining devices such as pacemak-
ers, it’s easy to imagine how drones could be leveraged by heavily funded groups such as state
governments and sophisticated criminal gangs. As UAVs continue to evolve in the military
and the private space, it is quite probable that they will be used by a variety of agents to gain
access to devices and networks. In this book, we have seen many different examples of IoT
devices that require no authentication or authorization if the attacker has access to the local
WiFi network. The many such popular IoT devices already in existence are going to be a juicy
target for individuals and well-funded criminal agencies whose aim is to capture data and pos-
sibly compromise people’s physical safety.
Cross-Device Attacks
Many people utilize a slew of computing devices on a daily basis—smartphones, personal and
employer-issued laptops and workstations, and tablets—to get their professional and private
work done. Quite often, data is synced across multiple devices so the users have access to all
their information regardless of what device they’re using. For example, users may back up
their smartphones onto their personal laptops. Another example is using a service such as
iCloud to sync documents, application settings, and contacts across devices. This creates a sit-
uation in which an attacker may be able to leverage one device that has been compromised to
access information that is stored on another device or synced across devices via the cloud.
Imagine a situation in which a physician stores information about a patient in a docu-
ment hosted on Dropbox. If the physician’s desktop were to be compromised using a phish-
ing attack, the attacker could modify the contents of the document, perhaps to alter the dosage
of a medication. This document would have its updates synced across other devices, such as a
tablet that the physician might use while on duty. The tablet might be configured to have full
disk encryption and additional security controls deployed by the physician’s employer, but
these controls would be ineffective in this situation since the document was compromised on
the doctor’s desktop and automatically synced to the same Dropbox account on the tablet. This
illustrates how the compromise of a single device in a user’s ecosystem can be leveraged to
negatively affect the integrity of data on other devices.
Local backup files from smartphones and tablets that may be stored on workstations and
laptops are also a juicy target for attackers. In Chapter 4, we analyzed the token called
access_token used by the SmartThings iOS app, which is issued by the server upon success-
ful authentication and remains valid for 18,250 days. An attacker who is able to compromise a
SmartThings user’s workstation or laptop could potentially steal such a backup file and collect
the access_token, which would be likely to work since it is valid for so long.
CROSS-DEVICE ATTACKS 233