Online sextortion within IoT a cybersecurity and privacy perspective


This post aims to show how online sextortion happens within the realm of IoT when the devices, applications and services that part of IoT are compromised by malware and malicious actors. The impact sextortion has on the targeted victims and the motivations for the malicious perpetrators who carry these attacks is explained. The role of cyber security will be discussed in how technology, awareness and education is key when used together in a holistic manner is vital in preventing online sextortion from occurring. Finally, it will examine what is currently happening to prevent online sextortion attacks from happening within IoT and what future methods or solutions could better prevent online sextortion from occurring.
The post is based off a prior research project (The analysis of the Socio-Technical Environment (STE) of Online Sextortion using Case Studies and Published Reports from a Cybersecurity Perspective) and it brings in elements of human factors and user interactions to the IoT domain.

What is Sextortion?

Extortion is an old crime that has taken on a new dimension with developments in technology, that led to four men in 2016 taking their own lives. (Guardian 2016) With the advent of modern communication technology, there is now the potential to affect anyone who is targeted and becomes trapped in an online sextortion racket irrespective of the geographic and social distance between extortioner and extortionee. Online sextortion is on the rise in the UK and many other major countries. The Federal Bureau of Investigation (FBI) ( 2017) describe sextortion as "a serious crime that occurs when someone threatens to distribute a person’s private and sensitive material if they don't provide the perpetrator with images of a sexual nature, sexual favours, or money". The perpetrator may also threaten to harm a targeted individual's friends or relatives by using the information they have obtained from that person's electronic devices or online profile unless the target complies with their demands. The FBI state that online predators work to gain the trust of the targeted victim by pretending to be someone they are not. Predators look for their prey by lurking in chat rooms and record users who post or live-stream sexually explicit images and videos of themselves, or they may hack into a target victims’ electronic devices using malware to gain access to their files and control their web camera and microphone without them knowing it.
A EUROPOL report (2017) from the law enforcement perspective of online sexual coercion and extortion form of crimes affecting children. Aimed to raise awareness and to contribute to the public debate. The report determined two broad perpetrator profiles.
Victim Profile:  Any person whose sexual material could be acquired by a perpetrator.

  • Usually female in case of sexually motivated perpetrators.
  • Usually male in case of financially motivated perpetrators. 
  • The characteristics in cases of online sexual coercion and extortion affecting children:
  • The naivety of the victims, either on a relational level or on a technical level.
  • The absence of parental control.
  • Willingness to share self-generated sexual content.
  • A significant amount of time spent online each day.
  • Use of social networks and other ways of online communication, especially through mobile devices.
  • Befriending strangers.
  • Sexualised conversions with strangers.
  • Lack of technical knowledge 
  • Offender Profile Sexual Motivation:
  • Male.
  • Operates alone but trades the acquired content.
  • May act on both international or national level.
  • Activity-driven by knowledge of languages.
  • Targets female victims.
  • May know the victim in person.
  • Goal to obtain sexual material.
  • Offender Profile Financial Motivation:
  • Both genders.
  • Members of an organised criminal enterprise.
  • Operates in teams based in developing countries.
  • May act at both international and national level.
  • Targets male victims in countries linked by language.
  • Does not know the victim in person.
  • Main goal: to obtain money.
The issues surrounding online sextortion doesn’t at first seem to link to the field of IoT if the narrow view of IoT as focusing on small internet connected devices and sensors isn't relevant. (, 2018) In cybersecurity this doesn’t take account into malicious actors targeting specific people cybersecurity but focuses more on protecting devices and securing data. But if you take the wider view of any internet connected device that can share data online sextortion is an attack which can happen within the area of IoT. (, 2014) With IoT as a giant network of connected "things" and people. The relationships are people-people, people-things, and things-things. This means you need to bring into the cybersecurity toolkit the means to protect people from malicious actors regardless of the type of attack and the means it is carried out. 

Internet Webcams – role of hacking and malware in online sextortion

Online Sextortion through Smartphones and game consoles

How Cybersecurity can and is preventing online sextortion 

Encouragement of best security practice of Users
  • UK NCSC, Banks, Insurance Companies, Internet Safety Companies. Through education and awareness campaigns of end-users. The UK policy is also moving towards adopting a more active posture in defending the UK from cyber threat through the closer partnership between government, industry and law enforcement. (, 2016) This involves taking an active approach to blocking IP addresses as the host/node address of a source of malicious content to block phishing attacks, DDOS and malware sites. 
Secure by Default in connected devices
  • UK NCSC policy and co-ordination with Standards (ISO/ETSI) and device manufactories for example (ARM, Intel and AMD)
  • Technology which is Secure by Default has the best security it can without you even knowing it's there, or having to turn it on. Elements: No default passwords; Keep software updated; Securely store credentials and security-sensitive data; Communicate securely; Minimise exposed attack surfaces; Ensure software integrity; Ensure that personal data is protected; Make systems resilient to outages; Monitor system telemetry data; Make it easy for consumers to delete personal data.
Education and Awareness – limited
  • Schools, Charites and adult education.
  • To equip children and adults with the knowledge and ability to protect themselves from being socially engineered by perpetrators. 
  • To teach them what is best security practises and behaviour and to reinforce it to become conscientious cyber citizens.

Law enforcement Support
  • Interpol, Europol, UK NCA and the FBI. Co-ordinating action to tackle worldwide cases and criminal organisations. A case from Northern Ireland (, 2017) spanned several countries and agencies' including Europol and NCA before the criminal was arrested and sentenced. 

Technology companies role
  • Facebook, Microsoft, Google, Internet Service Providers
  • Running online safety initiatives. (, 2017)
Future solutions to prevent Online Sextortion in IoT

Improved recording and auditing of digital evidence

  • Use by law enforcement and technology companies when dealing with cases of online sextortion. 
  • At the moment there is ongoing work to standardise the use and audit of trail of digital evidence.

Expanded use of IP blocking of known malicious addresses
  • Govt organisations, IPS, DNS providers and Technology companies.
  • Interfere with networks of criminal organisation prevent to the from functioning.

Greater co-operation between Government, NGOs and technology organisation to improve cyber safety and security education and awareness
  • Already moving in that direction but a slower focus on criminal investigations and prosecutions. GDPR related link better protection of people data and make people more aware of how there data is used and protected.
  • Improve peoples use and understanding of online service therefore they are hopefully less likely to be socially engineered.

Encourage better personal/household security behaviour through feedback applications.
  • Limited already but needs wider adoption to be effective children and adults at the moment people interested in cybersecurity will use it vulnerable people less likely. 
  • An example is the application ‘Oyoty’ (, 2017) which is designed to identify risky behaviour of children on social networks. It detects issues that could potentially impact their reputation and safety. It alerts the child explains the nature of the risk and guides them to fix the issue. 


Popular posts

Balancing functionality, usability and security in design

Personal Interest - Unbuilt fleets of the Royal Navy

Personal Interest - RAF Unbuilt Projects