Quantifying Consumer Costs of
Insecure Internet of Things Devices

Kim Fong, Kurt Hepler, Rohit Raghavan, Peter Rowland
Internet of Things devices are everywhere. Unfortunately, many Internet-connected devices are built with inadequate security measures, making them easy targets for cybercriminals. Hackers enlist these insecure devices in “botnet” armies to launch massive cyberattacks on governments, infrastructure, and businesses, causing millions of dollars in lost revenue, damaged brand reputation, and degraded service.

But what happens to the owners of the devices? What costs do they bear as a result of their devices being hacked? Do their electricity and bandwidth bills increase when their devices are used in attacks? And what can consumers and regulators do to ensure that manufacturers improve device security to prevent these attacks in the future?

Quantifying IoT Insecurity Costs

As consumers incorporate “Internet of Things” (IoT) devices in their homes, we must grapple with the consequences of the proliferation of inexpensive, difficult-to-secure products. Malicious actors may use vulnerable IoT devices to snoop on consumers, to cause devices to malfunction, or to degrade or deny access to services. Violations of consumer confidentiality and integrity are problematic, but the problems do not end with invasions of privacy. Cybercriminals also exploit vulnerabilities in IoT products to build “botnets” of thousands of devices that can attack and shut down governments, infrastructure providers, and businesses. Focusing on such availability attacks, understanding the full spectrum of consequences is difficult because the victims who are easiest to observe are not the owners of the devices. While quantifying the direct costs of such attacks to the most visible victims is relatively straightforward (e.g., Company A’s website was offline for 7 hours, leading to X% decrease in sales, and recovering from the attack cost Y dollars), it is not as easy to uncover the costs borne by the consumers who own the devices. Because these consumer costs are elusive, regulators have struggled to enact policies that could prompt manufacturers to design more secure IoT devices. We address this issue by exploring the harms to consumers who own the hacked devices that are used in botnet attacks.

We infected several consumer IoT devices with the Mirai malware and measured how devices use electricity and bandwidth resources in non-infected and infected states. We observed only small increases in electricity consumption of infected devices but significant increases in bandwidth usage in infected devices when compared with non-infected devices operating nominally. We also found that infected devices cause a degraded user experience for the device owner, as devices that are involved in attacks can interfere with the owner’s use of both the device and the network to which it is connected.

Based on these increased resource consumptions costs, we then examine the costs to consumers of insecure IoT devices through the lens of three case studies. We first investigate the consumer costs of large-scale distributed denial of service attacks on Dyn, Inc. resources and the KrebsOnSecurity website that were caused by IoT botnets in 2016. We also present a hypothetical worst-case scenario attack to uncover potential damages that could arise given a large pool of insecure IoT devices. Finally, we explore potential implications of these issues and discuss regulations that could be used to promote more a secure IoT ecosystem in the future.

IoT DDoS Consumer Cost Calculator

Explore the Costs to Consumers of IoT DDoS Attacks


Adjust the calculator to compute costs, or select a preset attack profile

KrebsOnSecurity Attack Dyn, Inc. Attack Worst-Case Attack
TOTAL CONSUMER RESOURCE COST
$x

Total Number of devices

attack duration

hours

attack type


Distribution of devices in Low, Medium, and High Cost Electricity Zones


x%

low-cost zone ($x per kWh)
x devices

x%

med-cost zone ($x per kWh)
x devices

x%

high-cost zone ($x per kWh)
x devices


Distribution of devices in Low, Medium, and High Cost Bandwidth Zones


low-cost zone ($x per GB)

x%

wifi
x devices

x%

ethernet
x devices

med-cost zone ($x per GB)

x%

wifi
x devices

x%

ethernet
x devices

high-cost zone ($x per GB)

x%

wifi
x devices

x%

ethernet
x devices

total electricity cost per hour
(imposed on consumers in aggregate)

$x

total bandwidth cost per hour
(imposed on consumers in aggregate)

$x

cost per device
(imposed on a consumer by each device)

$x

Read the Full Report

Learn more about our research design, methodology, and findings in the full report.