The New Ad Fraud Threat in the Internet of Things

These days, even the most mundane items have evolved into technologic novelties. Your watch sends you breaking news while simultaneously keeping an eye on your fitness. Your washing machine pings you when it’s done cycling. You can control your thermostat with a simple touch before you even get home.

In an increasingly mobile world, the Internet of Things brings us new levels of convenience, entertainment, and functionality. But with all benefits come risks. Although the Internet of Things connects us now more than ever, it also opens a new door for ad fraud.

What Is It?

In 1999, Kevin Ashton coined the phrase “Internet of Things” while giving a presentation on RFID chips. He described a new way in which machines could transmit data without human input. Using the Internet as a conduit, machines talk to each other, sending and analyzing information independently.

Ashton’s original idea applied to RFID chips being used to monitor inventory in a supply chain. But the definition of Internet of Things (IoT) has changed in recent years. Now, people use the term to describe the network in which any tangible object with internet connectivity can communicate with other connected devices.

Source: Freepik

Common IoT devices include smartphones, tablets, and wearables, like smartwatches and fitness trackers. In recent years, everything from internet-enabled security cameras to light bulbs have hit the marketplace.

Security Risks

As they pump out new “smart” products to meet growing demand, many companies aren’t considering the security issues that come with connected devices. Any device with a web connection can be easily hacked, especially if manufacturers and consumers don’t take the necessary steps to protect their devices.

IoT devices straight from the factory usually come with default user IDs and passwords. End users, particularly those who aren’t tech-savvy, often don’t bother to change the standard, weak passwords after setup. The 2016 Mirai botnet attack used this password vulnerability to hijack devices and launch a distributed denial of service (DDoS) attack on many popular websites.

Once a security threat is identified, manufacturers usually issue software updates to connected devices. The problem lies in how updates and patches are rolled out. Alerting users of software patches doesn’t guarantee they’ll update their devices. Automatic updates make things a little easier, but some devices require users to manually opt in or adjust their settings.

Another considerable security issue revolves around orphaned devices. Once a product gets an upgrade (e.g. iPhone X), older versions slowly get phased out. Other times, a company goes out of business or decides to end a product line. In all situations, orphaned IoT devices are left without software updates from an official support system and therefore open to exploitation.

Data Source: Statista

Despite all the risks involved with IoT, experts predict that more people will choose to connect rather than unplug from the system. The total number of IoT devices in use across the world is expected to surpass 30 billion by 2020. Estimates suggest that, on average, this equates to about 4.3 devices per person.

Ad Fraud Threats

As demonstrated by the Mirai incident, it’s relatively easy to turn IoT products into destructive botnets. And if the aforementioned security measures don’t improve, this could mean trouble for those in the digital advertising space.

Related Post: Ad Fraud: You’re Not Sneaky If We Can See You

Through malware injection, fraudsters can remotely control thousands of susceptible devices from a central location, and, if they choose, may commit click fraud on a massive scale.

Fraudsters use hijacked IoT devices to generate and drive large numbers of illegitimate traffic to websites. Once there, the programmed bots click on ads but don’t convert, eating away at campaign budgets and generating revenue for the fraudsters.

There’s no catch-all solution to preventing this type of fraud, but there are some precautionary steps you can take to guard your ad campaigns. The trick is to examine traffic data and put appropriate filters in place.

Source: Thingful

As with all internet-connected hardware, every IoT device carries an IP address used for identification. You can use sites like Shodan to aggregate IP addresses of open (and exploitable) IoT devices, such as webcams and personal weather stations. It’s a good idea to keep a working blacklist of IoT device IP addresses to prevent questionable IPs from accessing your site.

If you want to go the extra mile, using an ad fraud solution to filter your traffic may add another layer of protection. As you look at your data, you might notice traffic coming from places way outside your target location or from outdated smartphones and operating systems. You might even see the actual device type, like a tablet or television, depending on which ad fraud solution you use. With this actionable data, you can go back and fine tune your ad campaign parameters or put up new obstacles for bots around your site content.

The Internet of Things isn’t slowing down anytime soon. There’s no doubt that as the tech progresses, security will get better, but in the meantime, we need to stay vigilant. Bad people will always find ways to game the system, so it’s on us to stay one step ahead.