I have a IoT device that works with BLE and uses a smartphone as a bridge to connect to a digital platform (cloud).
The communication between the IoT device and the platform is based in PKI.
The IoT device has only few privileges and services to with the platform such as status communication, public key sharing and other few status messages.
If this IoT device is hacked, could it be used as a backdoor to access or change critical information in the platform?
What can a hacker do with a hacked IoT device to threat the platform data?
The hacker will not be able to access any other data than the one allowed by the platform to that device, correct?
Best Answer
This is based heavily on how that data is used
Assuming a IOT device is compromised, It can likely access the internet and anything on the same local network (assuming poor security home network),
It also has the BLE bridge to your phone
So to limit the scope to the phone and the platform, anything it can do would be related to vulnerabilities in those 2 end points, If your using the data it sends to the platform for something, it could spoof it, If the API allows it to read back old or user account level information, it could expose that elsewhere,
For the phone, there could be a blutooth exploit for your model allowing for other things, e.g. it sees your car radio BLE in range, clones its ID and pretends to be it to access your contacts and call logs,
For the platform, assuming no exploits, it can do anything exposed on the API, if there are exploits, then possibly anything on the platform, be it editing, deleting, mass downloading