"All of these devices are effectively connected computers which could potentially be hijacked by cybercriminals and held to ransom," Savage wrote in his report. "Imagine a scenario your smart house lock refuses to allow entry to your own house or where your car is taken over by ransomware and refuses to start, allow entry, speed up, or slow down until a ransom is paid."
Some devices, such as network-attached storage devices, have already been hit by criminals, while researchers have shown the ability to gain remote access to a moving Jeep Cherokee and take over lights, steering, transmission, and brakes.
"It's not happening yet, but it's something we might see in the future because it's not something that's too difficult to do," said Lastline's Kirda.
In addition to going after consumers, attackers might also target industrial control systems, hospitals, and other targeted organizations, he said -- but this might pose some logistical problems for attackers. If they warn organizations that an attack is coming, the organization might take steps to protect itself.
"But if they shut stuff down, the damage is already done, so why pay up?" he said.
Sign up for CIO Asia eNewsletters.