Strip 4: Touch And Go

This comics-based toolkit is designed to help journalists and other members of the media understand how the IoT may threaten their work through a hypothetical scenario. Please note, all the ways in which the IoT is depicted and used maliciously are based on real-world evidence and examples. Citations are at the bottom of the page.

Each page of this toolkit (start with strip 1) takes one strip from the Senses of Security comic to go into detail about the IoT threats the journalist-protagonist (J) is facing. The toolkit breaks down the strips into annotated panels, to help readers better understand threats that may be relevant to you, and how you could mitigate these dangers to protect yourself.

If you’re interested in bespoke training for yourself or your organisation, please get in touch!

J’s sudden awareness of IoT risks has made her choose a common countermeasure: ridding herself of all the IoT devices she owns, and those owned by the news organisation.

What threats are in this panel?

Threat 1: Data harvesting from decommissioned devices

You don’t have to burn your devices like J and her colleagues decide to do, but decommissioned devices can pose a serious threat, as they may retain sensitive local data or even Cloud access long after being unplugged if they are not properly and fully wiped of all history. Without these procedures, determined “dumpster divers” could fish out devices and recover confidential information stored either in the device’s local memory or in the cloud, through the device.

Making this more challenging to avoid, for many devices, there is no obvious reset button, and the physical device may be an easy entry-point to the user data still retained by the device’s managing company.[1]

What can you do about these threats?

  1. Clear reset mechanisms and secure disposal protocols are key, and in this case, J hopes that her scorched earth strategy will ensure that any memory, linked accounts, or credentials are burned to a crisp.

  2. When asked about the tools and techniques they employ to defend against IoT exploitation, every expert Anjuli spoke to for this research confirmed that their primary approach to risk mitigation was to minimise interactions with IoT devices and return to analogue methods of data collection, communication and storage.[2]

What threats are in this panel?

Threat 2: Botnet Creation

A botnet is a vast army of coopted IoT devices scattered across the world. These devices, poorly secured and likely rarely updated, can be infected and conscripted into coordinated action, often without the knowledge of each device's owner. Though each device is low-powered, collectively they form a powerful force capable of launching Distributed Denial of Service attacks, exfiltrating data, and taking down well-secured infrastructure.

There is currently no legal or financial incentive for manufacturers to encrypt data or otherwise increase the security of purchased devices; this leaves endpoint management unsupported as devices have out of date firmware or software that can be exploited through well-known channels.[3]

In this case, the botnet will be weaponised to disrupt the digital infrastructure J and her fellow journalists rely on, potentially taking down internal newsroom systems or blocking access to sources and files. The same network could be used to target journalists online via troll armies who spread disinformation.[4]

Any of these activities can be devastating for individual journalists and for news organisations, both of which might be at risk of losing access to vital devices or systems for indeterminate periods of time, as well as the potential that data held on those systems has been compromised.[5] Further, botnets could be used to launch large-scale online attacks on members of the press.[6]

However, despite J’s drastic efforts, the world around her still features a growing number of IoT devices, many of which capture her data without her consent or control…

What can you do about these threats?

J declares her next move: dragging the Adversary and the sprawling, opaque IoT threat landscape into the public eye. This marks a shift from defence to strategic exposure, as journalists reclaim power through transparency.

  1. One key tactic is intelligence sharing, i.e. building peer-to-peer networks across the media ecosystem, linking reporters, editors, legal teams, and digital security specialists. By doing this, journalists can share real-time threat intel, practical countermeasures, and attack trends.

  2. Another important countermeasure is top-down education. Newsrooms, unions, and civil society organisations must not only stay current on evolving IoT threats but also actively disseminate this knowledge to both the press and the public. The goal isn’t just to protect individual journalists, but to expose the systemic vulnerabilities and political implications of an unchecked IoT ecosystem.

  3. If an IoT device is deemed essential by corporate IT, it should be purchased and maintained by the news organisation, to ensure consistently optimal security.

Keep Going to Strip 5: The Sweet Smell of Success!

Citations

[1]Wright L (2017) Economic Espionage and Business Intelligence. In: Wright L (ed.) People, Risk, and Security: How to Prevent Your Greatest Asset from Becoming Your Greatest Liability. London: Palgrave Macmillan UK, pp. 91–105. DOI: 10.1057/978-1-349-95093-5_7.

[2] Shere, A et al.“Security should be there by default”: Investigating how journalists perceive and respond to risks from the Internet of Things”, at The 5th European Workshop on Usable Security (EuroUSEC 2020), https://eusec20.cs.uchicago.edu/eusec20-Shere.pdf

[3]Hoffmann S (2018) IoT Security Architecture and Policy for the Home - a Hub Based Approach. 15 November. Oxford, United Kingdom: IoT Security Foundation. Available at: https://oxil.uk/publications/iotsf-security-architecture-home/IoT-Security-Architecture-and-Policy-for-the-Home-a-Hub-Based-Approach.pdf (accessed 12 August 2020).

[4]Cimpanu C (2016) A Massive Botnet of CCTV Cameras Involved in Ferocious DDoS Attacks. softpedia, 27 June. Available at: https://news.softpedia.com/news/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks-505722.shtml (accessed 23 October 2020).

Krebs B (2016) KrebsOnSecurity Hit With Record DDoS — Krebs on Security. Available at: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ (accessed 23 October 2020).

Rizvi S, Kurtz A, Pfeffer J, et al. (2018) Securing the Internet of Things (IoT): A Security Taxonomy for IoT. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), August 2018, pp. 163–168. DOI: 10.1109/TrustCom/BigDataSE.2018.00034.

Smith S (2017) The Internet of Risky Things: Trusting the Devices That Surround Us. 1st ed. Sebastopol, CA, USA: O’Reilly Media, Inc.

[5] McGregor S (2016) Why DDoS attacks matter for journalists. Available at: https://www.cjr.org/tow_center/journalists_ddos_hack_passwords.php (accessed 15 November 2020).

[6] Agrafiotis I, Nurse JRC, Goldsmith M, et al. (2018) A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity 4(1). Oxford Academic. DOI: 10.1093/cybsec/tyy006.

Gulzar M, Abbas G. Internet of Things Security: A Survey and Taxonomy. In: 2019 International Conference on Engineering and Emerging Technologies (ICEET) [Internet]. Lahore, Pakistan: IEEE; 2019. p. 1–6. Available from: https://ieeexplore.ieee.org/document/8711834. p. 2.