The nature of crime is changing—estimates suggest that at least half of all crime is now committed online. Once everyday objects (e.g. televisions, baby monitors, door locks) that are now internet connected, collectively referred to as the Internet of Things (IoT), have the potential to transform society, but this increase in connectivity may generate new crime opportunities. Here, we conducted a systematic review to inform understanding of these risks. We identify a number of high-level mechanisms through which offenders may exploit the consumer IoT including profiling, physical access control and the control of device audio/visual outputs. The types of crimes identified that could be facilitated by the IoT were wide ranging and included burglary, stalking, and sex crimes through to state level crimes including political subjugation. Our review suggests that the IoT presents substantial new opportunities for offending and intervention is needed now to prevent an IoT crime harvest.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Tax calculation will be finalised during checkout.
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
Tax calculation will be finalised during checkout.
In computer science, conference papers undergo a rigorous peer-review process.
Due to page constraints, only example citations are included in the text. More details of the full set of papers reviewed can be found in the electronic supplementary material.
To be clear, we only used additional references not identified through the systematic search to provide further context about crimes identified through the systematic search.
Agadakos, I., C.-Y. Chen, M. Campanelli, P. Anantharaman, M. Hasan, B. Copos, et al. 2017. Jumping the Air Gap: Modeling Cyber-Physical Attack Paths in the Internet-of-Things. In CPS-SPC’17, Vol. 17.
Aktypi, A., J.R.C. Nurse, and M. Goldsmith. 2017. Unwinding Ariadne’s Identity Thread: Privacy Risks with Fitness Trackers and Online Social Networks. In Proceedings of the 2017 on Multimedia Privacy and Security, 1–11. Dallas, TX, USA.
Aljosha, J., U. Johanna, M. Georg, V.G. Artemios, and W. Edgar. 2017. Lightweight Address Hopping for Defending the IPv6 IoT. In Proceedings of the 12th International Conference on Availability, Reliability and Security—ARES’17, 1–10.
Amin, S.M., and A.M. Giacomoni. 2012. Smart Grid-Safe, Secure, Self-Healing. IEEE Power & Energy Magazine 10: 33–40.
Anand, S.A., and N. Saxena. 2016. Vibreaker: Securing Vibrational Pairing with Deliberate Acoustic Noise. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, 103–108.
Bachy, Y., F. Basse, V. Nicomette, E. Alata, M. Kaaniche, J.C. Courrege, and P. Lukjanenko. 2015. Smart-TV Security Analysis: Practical Experiments. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Smart-TV, 497–504.
Badenhop, C.W., B.W. Ramsey, B.E. Mullins, and L.O. Mailloux. 2016. Extraction and Analysis of Non-volatile Memory of the ZW0301 Module, a Z-Wave Transceiver. Digital Investigation 17: 14–27.
Banafa, A. 2016. Internet of Things (IoT): Security, Privacy and Safety. https://datafloq.com/read/internet-of-things-iot-security-privacy-safety/948.
BBC News. 2017a. EU Clamps Down on Social Media Job Snoops. https://www.bbc.co.uk/news/technology-40592516.
BBC News. 2017b. Man Jailed for Hacking into Jennifer Lawrence’s Online Account. http://www.bbc.co.uk/newsbeat/article/38741309/man-jailed-for-hacking-into-jennifer-lawrences-online-account.
BBC News. 2018. West Midlands PCC Calls Car Security Summit. http://www.bbc.co.uk/news/uk-england-birmingham-43737877.
Blythe, J.M., and L. Coventry. 2018. Costly But Effective: Comparing the Factors that Influence Employee Anti-malware Behaviours. Computers in Human Behavior 87: 87–97.
Blythe, J.M., and S.D. Johnson. 2018. Rapid Evidence Assessment on Labelling Schemes and Implications for Consumer IoT Security. DCMS: London. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747296/Rapid_evidence_assessment_IoT_security_oct_2018.pdf.
Blythe, J.M., S. Michie, J. Watson, and C.E. Lefevre. 2017. Internet of Things in Healthcare: Identifying Key Malicious Threats, End-User Protective and Problematic Behaviours. In Proceedings of the 3rd Digital Health Conference 2017, London, UK.
Blythe, J.M., N. Sombatruang, and S.D. Johnson. 2019. What Security Features and Crime Prevention Advice is Communicated in Consumer IoT Device Manuals and Support Pages? Journal of Cybersecurity 5 (1).
Bugeja, J., A. Jacobsson, and P. Davidsson. 2017. An analysis of malicious threat agents for the smart connected home. In 2017 IEEE International Conference on Pervasive Computing and Communications Workshops, PerCom Workshops 2017, 557–562.
Byrt, T., J. Bishop, and J. Carlin. 1993. Bias, Prevalence and Kappa. Journal of Clinical Epidemiology 46 (5): 423–429.
Chen, D., S. Kalra, D. Irwin, P. Shenoy, and J. Albrecht. 2015. Preventing Occupancy Detection from Smart Meter Data. IEEE Transactions on Smart Grid 6 (5): 2426–2434.
Chen, Y., and B. Luo. 2012. S2A: Secure Smart Household Appliances. In Proceedings of the second ACM conference on Data and Application Security and Privacy, 217–228.
CIPD. 2013. Pre-employment Checks: An Employer’s Guide. http://www.cipd.co.uk/binaries/pre-employment-checks_2013.pdf.
Clarke, R.V. 1980. Situational Crime Prevention: Theory and Practice. The British Journal of Criminology 20: 136.
Clarke, R.V. 1995. Situational Crime Prevention. Crime and Justice 19: 91–150.
Cockbain, E., K. Bowers, and G. Dimitrova. 2018. Human Trafficking for Labour Exploitation: The Results of a Two-Phase Systematic Review Mapping the European Evidence Base and Synthesising Key Scientific Research Evidence. Journal of Experimental Criminology 14 (3): 319–360.
Coleman, F.L. 1997. Stalking Behavior and the Cycle of Domestic Violence. Journal of Interpersonal Violence 12 (3): 420–432.
College of Policing. 2018. Crime Reduction Toolkit. http://whatworks.college.police.uk/toolkit/Pages/Toolkit.aspx.
Copos, B., K. Levitt, M. Bishop, and J. Rowe. 2016. Is Anybody Home? Inferring Activity from Smart Home Network Traffic. In IEEE Security and Privacy Workshops (SPW), 245–251.
Coppolino, L., V. Dalessandro, S. Dantonio, L. Levy, and L. Romano. 2015. My Smart Home is Under Attack. In IEEE 18th International Conference on Computational Science and Engineering, 145–151.
Coventry, L., P. Briggs, J.M. Blythe, and M. Tran. 2014. Using Behavioural Insights to Improve the Public’ S Use of Cyber Security Best Practices. Innovation and Skills: Report for the Department of Business.
DCMS. 2018. Secure by Design: Improving the Cyber Security of Consumer Internet of Things Report. https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/686089/Secure_by_Design_Report_.pdf.
Denning, T., C. Matuszek, K. Koscher, J.R. Smith, and T. Kohno. 2009. A Spotlight on Security and Privacy Risks with Future Household Robots. In Proceedings of the 11th International Conference on Ubiquitous Computing, 105–114. ACM.
Felson, M. 1994. Crime and Everyday Life. Thousand Oaks, CA: Pine Forge.
Feng, X., M. Ye, V. Swaminathan, and S. Wei. 2017. Towards the Security of Motion Detection-based Video Surveillance on IoT Devices. In Proceedings of the on Thematic Workshops of ACM Multimedia 2017, 228–235. ACM.
Fernandes, E., J. Jung, and A. Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In IEEE Symposium on Security and Privacy Security, 636–654.
Fernandes, E., A. Rahmati, J. Jung, and A. Prakash. 2017. Security Implications of Permission Models in Smart-Home Application Frameworks. IEEE Security and Privacy 15 (2): 24–30.
Forrester, D., M. Chatterton, K. Pease, and R. Brown. 1988. The Kirkholt Burglary Prevention Project.
FTC. 2015. IoT Privacy & Security in a Connected World. https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
Garcia-Morchon, O., S. Kumar, S. Keoh, R. Hummen, and R. Struik. 2014. Security Considerations in the IP-Based Internet of Things. Draft-Garcia-Core-Security-06. https://tools.ietf.org/html/garcia-core-security-03.txt.
Greensmith, J. 2015. Securing the Internet of Things with Responsive Artificial Immune Systems. In Proceedings of the 2015 Annual Conference on Genetic and Evolutionary Computation, 113–120.
Henry, N., and A. Powell. 2015. Beyond the ‘Sext’: Technology-Facilitated Sexual Violence and Harassment Against Adult Women. Australian & New Zealand Journal of Criminology 48 (1): 104–118.
Higgins, J., and S. Green. 2011. Cochrane Handbook for Systematic Reviews of Interventions.
Ho, G., D. Leung, P. Mishra, A. Hosseini, D. Song, and D. Wagner. 2016. Smart Locks: Lessons for Securing Commodity Internet of Things Devices. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, 461–472.
Hoang, N.P., and D. Pishva. 2015. A TOR-Based Anonymous Communication Approach to Secure Smart Home Appliances. In International Conference on Advanced Communication Technology, ICACT, Vol. 3, 517–525.
Hong, J. 2012. The State of Phishing Attacks. Communications of the ACM 55 (1): 74–81.
Jacobsson, A., M. Boldt, and B. Carlsson. 2016. A Risk Analysis of a Smart Home Automation System. Future Generation Computer Systems 56: 719–733.
Johnson, S.D., N. Tilley, and K.J. Bowers. 2015. Introducing EMMIE: An Evidence Rating Scale to Encourage Mixed-Method Crime Prevention Synthesis Reviews. Journal of Experimental Criminology 11 (3): 459–473.
Kang, W.M., S.Y. Moon, and J.H. Park. 2017. An Enhanced Security Framework for Home Appliances in Smart Home. Human-Centric Computing and Information Sciences 7 (1): 6.
Kaspersky. 2017. Kaspersky Lab Research Reveals the Cost and Profitability of Arranging a DDoS Attack. https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-research-reveals-the-cost-and-profitability-of-arranging-a-ddos-attack.
Kumar, P., M. Ylianttila, A. Gurtov, S.G. Lee, and H.J. Lee. 2014. An Efficient and Adaptive Mutual Authentication Framework for Heterogeneous Wireless Sensor Network-Based Applications. Sensors 14 (2): 2732–2755.
Laxton, C. 2014. Virtual World, Real Fear: Women’s Aid Report into Online Abuse, Harassment and Stalking. Bristol: Women’s Aid.
Laycock, G. 2004. The UK Car Theft Index: An Example of Government Leverage. In Understanding and Preventing Car Theft, Vol. 17 of Crime Prevention Studies, 25–44. Willan: Cullompton.
Lee, M., K. Lee, J. Shim, S. Cho, and J. Choi. 2016. Security Threat on Wearable Services: Empirical Study Using a Commercial Smartband. In 2016 IEEE International Conference on Consumer Electronics-Asia (ICCE-Asia), 1–5.
Liu, Y., S. Hu, and T.Y. Ho. 2015a. Vulnerability Assessment and Defense Technology for Smart Home Cybersecurity Considering Pricing Cyberattacks. In: IEEE/ACM International Conference on Computer-Aided Design, 183–190.
Liu, X., Z. Zhou, W. Diao, Z. Li, and K. Zhang. 2015b. When Good Becomes Evil: Keystroke Inference with Smartwatch. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security—CCS’15, 1273–1285.
Lo, C.H., and N. Ansari. 2013. CONSUMER: A Novel Hybrid Intrusion Detection System for Distribution Networks in Smart Grid. IEEE Transactions on Emerging Topics in Computing 1 (1): 33–44.
Lotfy, K., and M.L. Hale. 2016. Assessing Pairing and Data Exchange Mechanism Security in the Wearable Internet of Things. In 2016 IEEE International Conference on Mobile Services (MS), 25–32.
Lyu, M., D. Sherratt, A. Sivanathan, H.H. Gharakheili, A. Radford, and V. Sivaraman. 2017. Quantifying the Reflective DDoS Attack Capability of Household IoT Devices. In Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks—WiSec’17, 46–51.
Mailley, J., R. Garcia, S. Whitehead, and G. Farrell. 2008. Phone Theft Index. Security Journal 21 (3): 212–227.
Maiti, A., M. Jadliwala, J. He, and I. Bilogrevic. 2015. (Smart)Watch Your Taps: Side-Channel Keystroke Inference Attacks using Smartwatches. In Proceedings of the 2015 ACM International Symposium on Wearable Computers—ISWC’15, 27–30. New York: ACM Press.
Manky, D. 2013. Cybercrime as a Service: a Very Modern Business. Computer Fraud & Security 6: 9–13.
Maple, C. 2017. Security and Privacy in the Internet of Things. Journal of Cyber Policy 2 (2): 155–184.
Metropolitan Police. 2003. Findings from the Multi- agency Domestic Violence Murder Reviews in London. https://paladinservice.co.uk/wp-content/uploads/2013/07/Findings-from-the-Domestic-Homicide-Reviews.pdf.
Min, B., and V. Varadharajan. 2015. Design and Evaluation of Feature Distributed Malware Attacks Against the Internet of Things (IoT). In 20th International Conference on Engineering of Complex Computer Systems (ICECCS), 80–89
Mitchell, K., D. Finkelhor, L. Jones, and J. Wolak. 2010. Use of Social Networking Sites in Online Sex Crimes Against Minors: An Examination of National Incidence and Means of Utilization. Journal of Adolescent Health 47 (2): 183–190.
Mitnick, K.D., and W.L. Simon. 2003. The Art of Deception: Controlling the Human Element in Security. New York: Wiley.
NPower. 2018. Energy Theft. https://www.npower.com/home/help-and-support/meter-readings/meter-tampering/.
NSPCC. 2018. Facebook Tops List of Sites Used for Online Grooming. https://www.nspcc.org.uk/what-we-do/news-opinion/Facebook-tops-list-online-grooming/.
Obermaier, J., and M. Hutle. 2016. Analyzing the Security and Privacy of Cloud-Based Video Surveillance Systems. In Proceedings of the 2nd ACM International Workshop on IoT Privacy, Trust, and Security—IoTPTS’16, 22–28. New York: ACM Press.
Office for National Statistics. 2017a. Crime in England and Wales: Year Ending December 2017. London: ONS.
Office for National Statistics. 2017b. Overview of Burglary and Other Household Theft: England and Wales. London: ONS.
Oluwafemi, T., T. Kohno, S. Gupta, and S. Patel. 2013a. Experimental Security Analyses of Non-Networked Compact Fluorescent Lamps: A Case Study of Home Automation Security. In Proceedings of the LASER 2013 (LASER 2013), 13–24. https://www.usenix.org/laser2013/program/oluwafemi.
Oluwafemi, T., T. Kohno, S. Gupta, and S. Patel. 2013b. Experimental Security Analyses of Non-Networked Compact Fluorescent Lamps: A Case Study of Home Automation Security. In Proceedings of the LASER 2013 (LASER 2013), 13–24.
Paladin. 2018. Paladin’s Definition of Stalking. https://paladinservice.co.uk/.
Pawson, R.A.Y., and N. Tilley. 2018. What Works in Evaluation Research? The British Journal of Criminology 34 (3): 291–306.
Pease, K. 1997. Crime reduction. In The Oxford Handbook of Criminology, 2nd ed, ed. M. Maguie. Oxford: Clarendon Press.
Powell, A., and N. Henry. 2018. Policing Technology-Facilitated Sexual Violence Against Adult Victims: Police and Service Sector Perspectives. Policing and Society 28 (3): 291–307.
Rahman, M., B. Carbunar, and U. Topkara. 2013. Fit and Vulnerable: Attacks and Defenses for a Health Monitoring Device. https://doi.org/10.1109/TMC.2015.2418774
Ratajczyk, E., U. Brady, J.A. Baggio, A.J. Barnett, I. Perez-Ibara, N. Rollins, et al. 2016. Challenges and Opportunities in Coding the Commons: Problems, Procedures, and Potential Solutions in Large-N Comparative Case Studies. International Journal of the Commons, 10 (2), 440–466.
Reichherzer, T., M. Timm, N. Earley, N. Reyes, and V. Kumar. 2017. Using Machine Learning Techniques to Track Individuals & Their Fitness Activities. In Proceedings of the 32nd International Conference on Computers and Their Applications, CATA 2017, 119–124.
Sasse, A. 2015. Scaring and Bullying People into Security Won’t Work. IEEE Security and Privacy 13 (3): 80–83.
Schneier, B. 2018. Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. New York: WW Norton & Company.
Seto, M. 2015. Internet-Facilitated Sexual Offending. https://www.smart.gov/SOMAPI/printerFriendlyPDF/adult-sec4.pdf.
Sivaraman, V., D. Chan, D. Earl, and R. Boreli. 2016. Smart-Phones Attacking Smart-Homes. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks—WiSec’16, 195–200.
Sivaraman, V., H.H. Gharakheili, A. Vishwanath, R. Boreli, and O. Mehani. 2015. Network-Level Security and Privacy Control for Smart-Home IoT Devices. In 2015 IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2015, 163–167.
Smartgrid.gov. 2018. What is the Smart Grid? https://www.smartgrid.gov/the_smart_grid/smart_grid.html.
Snader, R., Kravets, R., and Harris III, A.F. 2016. CryptoCop: Lightweight, Energy-Efficient Encryption and Privacy for Wearable Devices. In 2nd ACM Workshop on Wearable Systems and Applications. WearSys 2016, 7–12.
Srinivasan, V., J. Stankovic, and K. Whitehouse. 2008. A Fingerprint and Timing-Based Snooping Attack on Residential Sensor Systems. ACM SIGBED Review 5 (1): 1–2.
Statistica. 2018. Estimated Global Commercial Drone Unit Sales in 2016 and 2017 (in 1,000 Units). https://www.statista.com/statistics/740428/global-commercial-drone-unit-sales/.
Tekeoglu, A., and A.S. Tosun. 2015a. A Closer Look into Privacy and Security of Chromecast Multimedia Cloud Communications. In 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), 121–126
Tekeoglu, A., and A.S. Tosun. 2015b. Investigating Security and Privacy of a Cloud-Based Wireless IP Camera: NetCam. In Proceedings—International Conference on Computer Communications and Networks, ICCCN, 2015–October.
Thing, V.L.L. 2017. IEEE 802.11 Network Anomaly Detection and Attack Classification: A Deep Learning Approach. In Wireless Communications and Networking Conference (WCNC).
Torre, I., F. Koceva, O.R. Sanchez, and G. Adorni. 2017. Fitness Trackers and Wearable Devices: How to Prevent Inference Risks? In Proceedings of the 11th International Conference on Body Area Networks. EAI.
Tzezana, R. 2016. Scenarios for Crime and Terrorist Attacks Using the Internet of Things. European Journal of Futures Research 4 (1): 18.
Tzezana, R. 2017. High-Probability and Wild-Card Scenarios for Future Crimes and Terror Attacks Using the Internet of Things. Foresight 19 (1): 1–14.
Vemi, S.G., and C. Panchev. 2015. Vulnerability Testing of Wireless Access Points Using Unmanned Aerial Vehicles (UAV). In Proceedings of the European Conference on e-Learning, 245.
Vigo, R., E. Yuksel, and Dewi Puspa Kencana Ramli, C. 2012. Smart Grid Security a Smart Meter-Centric Perspective. In 2012 20th Telecommunications Forum (TELFOR), 127–130
Visan, B.A., J. Lee, B. Yang, A.H. Smith, and E.T. Matson. 2017. Vulnerabilities in Hub Architecture IoT Devices. In 2017 14th IEEE Annual Consumer Communications and Networking Conference, CCNC 2017, 83–88
Wang, C., X. Guo, Y. Wang, Y. Chen, and B. Liu. 2016. Friend or Foe? In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security—ASIA CCS’16, 189–200.
Wang, H., T.T.-T. Lai, and R. Roy Choudhury. 2015. MoLe: Motion Leaks Through Smartwatch Sensors. In Proceedings of the 21st Annual International Conference on Mobile Computing and Networking—MobiCom’15, 155–166.
Wazid, M., A.K. Das, V. Odelu, N. Kumar, and W. Susilo. 2017. Secure Remote User Authenticated Key Establishment Protocol for Smart Home Environment. In IEEE Transactions on Dependable and Secure Computing, 5971(c).
Weisburd, D., D.P. Farrington, and C. Gill (eds.). 2016. What Works in Crime Prevention and Rehabilitation: Lessons from Systematic Reviews. New York: Springer.
Which? 2017. Safety Alert: See How Easy it is for Almost Anyone to Hack Your Child’s Connected Toys. https://www.which.co.uk/news/2017/11/safety-alert-see-how-easy-it-is-for-almost-anyone-to-hack-your-childs-connected-toys/.
Williams, R., E. McMahon, S. Samtani, M. Patton, and H. Chen. 2017. Identifying Vulnerabilities of Consumer Internet of Things (IoT) Devices: A Scalable Approach. In 2017 IEEE International Conference on Intelligence and Security Informatics: Security and Big Data, ISI 2017, 179–181.
Wrap. 2017. Smart Devices & Secure Data Eradication: The Evidence. http://www.wrap.org.uk/sites/files/wrap/DataEradicationreportDefra.pdf.
Wurm, J., K. Hoang, O. Arias, A.-R. Sadeghi, and Y. Jin. 2016. Security Analysis on Consumer and Industrial IoT Devices. In 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC), 519–524.
Xu, H., D. Sgandurra, K. Mayes, P. Li, and R. Wang. 2017. Analysing the Resilience of the Internet of Things Against Physical and Proximity Attacks, Vol. 10658.
Yoshigoe, K., W. Dai, M. Abramson, and A. Jacobs. 2016. Overcoming Invasion of Privacy in Smart Home Environment with Synthetic Packet Injection. In Proceedings of 2015 TRON Symposium, TRONSHOW 2015, 1(C).
This work was funded by the UK EPSRC as part of the PETRAS IoT Research Hub—Cybersecurity of the Internet of Things grant no. EP/N02334X/1 and the Dawes Centre for Future Crime at University College London.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Electronic supplementary material
Below is the link to the electronic supplementary material.
About this article
Cite this article
Blythe, J.M., Johnson, S.D. A systematic review of crime facilitated by the consumer Internet of Things. Secur J (2019). https://doi.org/10.1057/s41284-019-00211-8
- Internet of Things
- Systematic review
- Crime harvest