IoT hacks humans - unexpected angles of Human Process Compromise
2024-10-23 , Europe - Main Room

Hacking humans with IoT? It is happening now and will only scale. The rapid evolution of AI technologies, mass development and production of IoT equipment which is interconnected and can be orchestrated on backend by massive AI platforms which are sourcing, processing and cross-correlating personal and sensitive data completely changes human vs computer paradigm. No chip implant is needed to control a human, unlike it may be commonly believed. As long as enough biometric and behavioral information is collected on human beings, they and their social contacts can be completely manipulated in predictable manner. The environment of connected society is a perfect stage, where the humans are exposing their harvestable biometric and behavior profiles, by publishing content in social media or giving up the IoT devices around the things which they are reluctant to share with their closest friends. This is the new battle ground where our digital identities are appearing and exposing our strengths and weaknesses at the same time. Those identities can be created, stolen, or replicated without our consent by criminals and state sponsored actors, appear in the places we are not aware, and leveraged to target our digital presence and physical life.

By connecting the dots between generative AI, predatory advertisement companies, biometric data harvesting and Human - IoT interactions – we demonstrate the significant expansion of the attack surface against humans and social groups. Disinformation, public opinion manipulation, virtual kidnapping, exploitation of human digital identities are the fruits of the same tree. The data collected and processed in the IoT based smart environments is a gold mine for criminals and state sponsored actors to manipulate humans the way and at the scale which was impossible before.

The presentation is focusing on the attack scenarios and case studies of targeted individuals, social groups that we either have observed or to observe in the wild, including election campaigns in social media, assets take over, extortion. The consequences of attacks lead to behavior changes and actions in both, physical and digital world including changing the decisions, social engineering, exfiltration of sensitive information, choosing most vulnerable targets to attack high security environments, swaying opinions, affecting elections and other critical events, that may change the history. We will also cover both, defense options and choke points related to the expanded attack surface.


  1. Introduction (4m)
    - Human Process Compromise is Business Process Compromise moved one step closer to the human.
    -- Why Human Process Compromise is a fragile chain under Business Process Compromise umbrella
    -- How HPCs completely bypass this entire classes of security measures.
    - IoT angle of HPC - What IoT knows about humans.
    - Technology enablers for attacks
    - Techniques to manipulate humans and public opinions.
  2. Tools and technologies used (6m)
    - Use of the connected world data to choose appropriate targets.
    -- Profiling humans for criminal monetization attacks
    -- Choosing a targets for espionage operations
    -- Affecting critical events, like elections
    - Weaponization - extracting human, social groups and society habits and weaknesses to target
    - Actions on target - empowering and boosting manipulation techniques with IoT and connected world data.
    -- Boosting Fake News and Opinion manipulation campaigns with IoT data
    -- Reshaping Identity linked attack surface like bank account MFA, voice authentication, SIM card based identities using HPC.
    -- Targeting physical events.
    - Required knowledge, technologies and cost of operations.
  3. Connecting the dots: Attack scenarios and cases studies (15 m)
    - Underground actors approach and criminal monetization
    -- Services and Technologies: use and abuse of big data, generative AI, Biometrics, PII, voice, face, source phone number substitution, IoT and cloud IoT technologies and credentials market.
    -- Typical targets (victims) and attack scenarios
    -- Criminal business processes and monetization options
    - State sponsored attack scenarios
    -- Espionage with HPC
    -- Forced and disruptive physical actions against critical assets
    -- Manipulations of negotiations outcomes
    -- Manipulating the crowds and societies attack scenarios.
    - Privacy breaches scenarios which leverage IoT connectivity(4m)
    How to deal with it (3m)
    Conclusion(2m)
See also: Slides (6.4 MB)

Vladimir Kropotov is an Advisor and Sr. Researcher with the Trend Micro Forward-Looking Threat Research team. Active for over 20 years in information security projects and research, he previously built and led incident response teams at Fortune 500 companies and was head of the Incident Response Team at Positive Technologies. He holds a master's degree in applied mathematics and information security. He also participates in various projects for leading financial, industrial, and telecom companies. His main interests lie in network traffic analysis, incident response, and botnet and cybercrime investigations.