Smartphones, watches, televisions and fitness trackers could be used to hold people to ransom over personal data, cyber security experts have warned.
Ransomware, which makes devices unusable until their owners pay to unlock them, has become increasingly prevalent in the past year, they say.
Devices holding photos, emails and fitness information could be targeted.
The risk to business is “significant and growing”, the National Crime Agency and National Cyber Security Centre say.
The joint report from the NCA and the NCSC says cyber crime is becoming more aggressive.
More devices connecting to the internet meant opportunities for criminals, the report said.
Any devices containing personal data such as photos, that people consider sufficiently valuable to pay for, are likely to be targeted by criminals.
Such devices often have limited security built in.
In their report, aimed at businesses, the agencies say: “This data may not be inherently valuable, and might not be sold on criminal forums but the device and data will be sufficiently valuable to the victim that they will be willing to pay for it.
“Ransomware on connected watches, fitness trackers and TVs will present a challenge to manufacturers, and it is not yet known whether customer support will extend to assisting with unlocking devices and providing advice on whether to pay a ransom.”
The report also raises concerns about the ability of the most sophisticated criminal gangs to use the same high-tech tools as states to target financial institutions.
Others, it adds, can download more basic software to carry out attacks on smaller businesses and the general public which require very little technical ability.
What is the scale of the problem?
As many as 21 billion devices used by businesses and consumers around the world are forecast to be connected to the internet by 2020.
Ciaran Martin, chief executive of the NCSC, said cyber attacks would continue to evolve and the public and private sectors must continue to work at pace to reduce the threat to critical services and deter would-be attackers.
The report also says there is no clear understanding of the true scale and cost of current cyber attacks to the UK, as they believe they are under-reported.
In three months after the NCSC was created, there were 188 “high-level” attacks as well as “countless” lower-level incidents, it says.
Donald Toon, director for economic and cyber crime at the NCA, told the BBC devices that helped businesses control operations remotely had an online capability built into them.
“They’re mass-produced and the security may not be particularly good,” he said. “Businesses often don’t change the basic security software that’s in there, or change the passwords.”
The report will be published on Tuesday as the NCSC hosts a major conference, CyberUK, in Liverpool.