In the 1990s PC-based cybercrime started as "benign" DDoS attacks and pranks by young programmers showing off their skills - aided by the non-existent security posture in Windows-based computers. (We can all look back fondly on the benign worms like the "Kournikova Worm".) However, by the late 90s and early 2000s cybercrime organizations started to monetize vulnerabilities by releasing targeted malware and spyware viruses/worms that rapidly spread. "Phishing" became a highly lucrative business. "Love Letter", "MyDoom", "Confiker" these were a bit more nefarious.
As the host of "Risky Biz" Patrick Grey has pointed out astutely on several of his shows, we are going to see the same evolution with regard to IoT!
1st Wave: Curiosity and Novelty
In 2012 a anonymous researcher performed the "Internet Census of 2012". This was an effort to not just scan the entire publicly accessible internet but also scan "internal" networks. To accomplish this, the researcher created a botnet of 400,000+ embedded devices and used those devices. While the ultimate use of the botnet was benign, many in the security industry saw this as the first rumblings of a imminent seismic shift.
2nd Wave: Distributed Denial of Service Using IoT
In October of 2016 we saw the of the largest DDoS attacks powered by IoT-enabled: Botnets comprised of consumer IoT devices first take down KrebsOnSecurity and a week later Dyn, which provides DNS services for websites such as GitHub, Reddit, Netflix, etc. While that was rather an inconvenience, future attacks may be far more costly.
3rd Wave: Monetized IoT Malware
There are several ways of monetizing an army of bots: DDoS for hire, ransomeware, email spam as well as ad click fraud. While botnets are not new, the abundance of insecure (and insecurable) Internet of Things devices gives this problem a new scale. A recent paper looked at how industrious botnet operators are tapping into society's vanity and social media obsession to profit from Instagram "follows".
As we shift from unsophisticated actors to professional (and possibly state-sponsored) attacks on embedded devices, the stakes get higher. There have been reports of IoT device coming preinstalled with cryptocurrency miners and other kinds of malware. Cybercrime gangs are clever at finding ways to make money with different kinds of access. We sometimes forget that IoT is everywhere. Not just in our homes but connected industrial controllers (ICS) automate our factories and power plants. (Remember: "ICS is IoT"!) Our doctors rely on smart medical equipment and our cities are becoming "smart cities".
Imagine all the kinds of IoT or ICS specific ransomware that could exist. Scary stuff...