Social engineering attacks you might see in the IoT

By on Mar 04, 2015

Futher to my last post about social engineering in the IoT; here are a couple of attack scenarios that we might easily see emerge.

Attack scenario 1: Reflected targeting and compromise

Things are often too limited in processing and memory to compromise and manipulate to large effect. What is more, they might not have information of intrinsic value to criminals: however, they might serve as a highly effective social engineering platform to drive the compromise of the powerful computing platforms in the home or business.

Consider this: a threat agent gets control of a eco-system of things: say they compromise the cloud-based services bundled with an IoT product, like patching or content management. Smart TVs do exactly this. Suppose the threat agent gains control of the cloud-services, or maybe only the network elements which allows information to be injected into the data flows between the smart TVs and the the cloud services. The threat agents triggers a message to all the smart TVs, which is displayed the next time they start:

 Your TV requires a software upgrade.

For your security, it will stop working in 60 minutes, until upgraded.  

Please go to and download the patching software, and run it from any Windows computer on the same network as this TV.


Imagine variations of this theme, displayed via the device control panel of just about any “cloud-enhanced” Thing (which is most of them).

This amounts to “IoT-phishing”. Most people (but certainly not all) know that phishing emails with these sorts of instructions are to be ignored and discarded. But what the instructions comes from your smart IoT device?  Most people have no experience of a smart device as an attack platform, and have no reason to be suspicious. And they love their TV: “My amateur dancing show starts in 45 minutes!!”

And an additional factor associated with this attack is that it might side-step conventional security systems like desktop email protection and anti-virus, malware and URL reputation-blocking. Why? Because the attackers are not using email as the social engineering platform – the attack involves what amount to an out-of-band delivery channel, relative to where we have invested in security.   The good news is that conventional security systems may provide protection against the download of malware to the desktop systems, even if they are unable to address the initial social-engineering attack. But maybe not, and certainly not early in the spread of the attack.


Attack scenario 2: IoT stored-value attacks

There are many stored-value systems in the world already, and the prevalence of these systems is growing to the point that they are even considered forms of “shadow banking”. Vendors like Apple and Starbucks accept and manage pre-paid cash deposits to facilitate later purchases, without the hassle of entering (or clearing) credit card data. The same business-benefits will be adopted by makers of Things, who will move to create ecosystems and stored-value accounts to lock in customers and their money.[1]

For example: your (future) smart espresso machine.   It comes embedded with a small touch screen for not only controlling the way it makes espresso, but also enables you to buy more of the coffee which comes in special pods. This system will certainly be linked to a cloud-based portal over the Internet. The portal may or may not have good security, and the espresso device may or may not have any security at all.   Assume that either the cloud service or the smart espresso machine is compromised. The device might be compromised by a local attack, originating from a desktop or laptop or mobile app inside the home network which has been specially developed to identify and then attack the (very popular) machine.

Once compromised the espresso Thing displays a message that says “50% off coffee pods. 1 Day Sale”.   “Please enter your espresso account PIN to make your purchase”. Enter PIN into the machine like you normally do to order, which opens the trusted local storage and releases account data.  Unfortunately, at this point the account data is captured, or possibly the order is changed in the cloud-portal from a purchase to a “gift”. The bad guy then transfers the account’s stored-value out to a “friend” account using the portal’s “send a gift” feature! Or merely accepts the gift you have sent as a result of the compromised device interface. All the stored value is now gone from your account. If you have some sort of auto-recharge feature enabled, maybe the processes gets repeated dozens of times before someone notices!

Meanwhile, the new “friend” has been receiving the gifts and converting them into goods (expensive new espresso machines, other merchandise) at many different storefronts or has the goods sent to shipping “relays” who forward the stolen goods onwards. (This is a well known technique on the internet.) Remember that stealing $25 at a time, 100,000 times is a $2.5 million in retail-value – probably $500,000 or more once fenced? Not bad.

[1] As an aside, the Bank of England published a Research paper Feb 3, 2015 which discussed the possible adoption of crypto currencies (like Bitcoin) for use by central banks to support national currencies. This was covered in what they called “Theme five: Central bank response to fundamental technological, institutional, societal and environmental change.”

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs