How IoT Is Used for Identity Theft — And How to Stop It

Cybercriminals typically go after data brokers, credit reporting agencies, financial institutions, and employers to steal social security numbers, bank account details, or medical insurance account numbers. 

Why are they starting to use the Internet of Things (IoT) instead? What are the implications for smart technology users?

IoT Vulnerabilities

While device manufacturers face an ever-increasing pile of privacy and security regulations, many IoT nodes are still vulnerable to cyber threats.

Weak authentication is among the most common since many ships with default passwords, and end users either forget or don’t know how to change them.

There are also classic software and firmware vulnerabilities. If left unpatched, even low-level ones can pose a threat. While these may seem unimportant, there’s no telling what personally identifiable information (PII) hackers already have. 

They may only need a birth date or account password to make users susceptible to identity theft. The longer issues go unpatched, the greater the risk. 

Even if an unpatched vulnerability doesn’t exist, sophisticated cybercriminals can always hack something directly through exploits. They can use the compromised internet-enabled device to watch or listen to the owner to steal sensitive information or laterally move through the network to infiltrate other devices. Either way, they can gather PII.

While a person’s data is technically at risk whether they store it locally or in the cloud, transferring it to cloud servers is risky. 

Weak data transmission protections enable man-in-the-middle attacks like eavesdropping, allowing hackers to view and exfiltrate financial, personal, or medical information. They can piece this data together to steal identities.

Best Practices for Securing IoT Devices

Following these best practices can help you safeguard your identity against cyber threats.

Segment IoT Devices 

The 2.4 GHz band is almost universally supported by IoT devices, while many will not even connect to 5 GHz. This is fine — great, even. Many modern routers combine 2.4 GHz bands and 5 GHz bands, assigning devices to one or the other as necessary. 

This feature lets you manually segment IoT devices on their own 2.4 GHz network, preventing lateral movement.

A bonus is combining the bands can cause congestion, leading to interference and bottlenecks that adversely affect performance. On top of securing your network, you keep things running smoothly. 

Plus, since 2.4 GHz supports lower data transmission rates, you may see early indicators of compromise.

Periodically Update Passwords

When was the last time your PII appeared in a breach? Unfortunately, there’s almost no way to know. Following secure password practices can help you prevent data breaches. 

They should be at least 12 characters long, using a combination of special characters, letters, and symbols.

Automate Network Monitoring

Continuous network monitoring is critical. It’s one of the most essential best practices you can follow. Automation is key, especially if you have smart devices at home or bring your own to work. 

You can detect and stop suspicious activity immediately, preventing attackers from accessing the sensitive data that would enable identity theft.

Update Software and Firmware

Unpatched vulnerabilities are highly common entry points for cybercriminals. Regularly update your software and firmware, even on devices like smart toasters or fridges where you think updates are pointless. This way, you eliminate the most straightforward entryways.

If you receive over-the-air updates, know that they can introduce vulnerabilities into an otherwise secure environment, enabling man-in-the-middle attacks. 

Consider turning this feature off if you can to perform manual updates. While the risk isn’t great, minimizing your attack surface is smart.

Is Identity Theft a Real Risk of IoT Usage?

If cybercriminals can access your PII, they can steal your identity. They only need your name, address, and birth date. 

Getting details like your mother’s maiden name, social security number or bank account password is more challenging but not impossible, especially if they can spy on you.

IoT devices collect a literal wealth of data every day, even considering PII is available for a mere $8 per record on the dark web. 

Whether your smartwatch doesn’t encrypt your messages or your third-party webcam overhears your conversations, bad actors can eventually gain access to sensitive details.

Besides, fraudsters only need your social security number now. In synthetic identity theft, they make up the finer details like your name, address, and birth date, which makes it easier for them to fly under the radar longer.

With the rise of cybercrime-as-a-service and machine learning technology, cybercriminal groups are likely to make a market out of identity theft. IoT will become a more attractive attack method once it’s in the homes of almost every person. Already, about one in five people experienced identity theft in the U.S. in 2021.

Statistically, it’s only a matter of time until it happens — don’t make it easier by leaving your IoT devices unsecured. Thinking of every internet-enabled node in your home as an entry point for cybercriminals may help you understand the gravity of the problem.

Cases Where IoT Led to Identity Theft

Although no large-scale cases of IoT-driven identity fraud are happening yet, countless breaches have compromised PII, enabling cybercriminals to steal victims’ identities.

Device Manufacturers Don’t Enforce Security Measures

In 2023, the Federal Trade Commission revealed Ring — the manufacturer of popular home security and smart home devices — lets insiders hack private videos. Its subpar security enabled employees to spy on unsuspecting customers. 

Some reportedly made the videos public to online cybercriminals, who harassed, insulted, and even propositioned victims.

Attackers Use IoT as the Vehicle to Aggregate PII

Two Harvard students — AnhPhu Nguyen and Caine Ardayfio — recently demonstrated how smart glasses, facial detection software, and artificial intelligence can aid in identity theft. 

It took them just 1.5 minutes to find a stranger’s name, home address, phone number, and relatives. They simply looked at the individual and had access to all publicly available data.

What’s worrying is the students said it took no more than four days to code this seemingly complex system, meaning sophisticated cybercriminals could easily replicate their work. 

Plus, while they used advanced smart glasses, their strategy can work on any phone, tablet, or camera with a recording function.

Hackers Exploit an IoT System’s Security Weaknesses 

In a paper for the International Conference on Advancement in Computation & Computer Technologies, one research group revealed smartwatches running on Bluetooth low energy have little to no security measures, making them vulnerable to man-in-the-middle attacks.

If you have a wearable like a fitness tracker or smartwatch, think of how often it’s with you. Does it have access to your texts? Can it record audio? Whatever you do on it — or in proximity to it — may be watched or listened to by bad actors.

Securing IoT to Stop Identity Theft

Although technology use inherently comes with risks, you don’t need to gamble your identity to enable your air conditioning system remotely or give a command to your speaker. 

Before you throw out every device in your home that starts with “smart,” consider following IoT security best practices. Securing vulnerable systems is possible — it just takes time and effort.