The adoption of Internet of Things (IoT) devices – ranging from consumer smart gadgets to industrial and healthcare systems – has revolutionized how we interact with technology. However, this unprecedented connectivity comes with significant cybersecurity risks, largely stemming from a combination of weak security design, user mismanagement, lack of ongoing support from manufacturers, and the limited processing power, memory, and storage of many IoT devices, which can make implementing robust security measures challenging.
As IoT adoption continues to grow, regulatory frameworks like the EU Cyber Resilience Act and proactive security solutions will play a critical role in defending devices, networks, and data from emerging cyber threats.
To help companies and consumers understand these challenges, this article examines the major cybersecurity risks in IoT devices, focusing on:
- The IoT vulnerabilities that plague devices connected to the internet.
- The most common cyberattacks targeting IoT devices, including botnets, man-in-the-middle (MITM) attacks, and physical tampering.
- How these attacks are conducted.
By increasing their awareness of these risks and attack techniques, businesses and users can take meaningful steps toward securing IoT devices.
Types of IoT Devices
Before diving into cybersecurity risks, it’s helpful to understand the types of IoT devices, as each category has unique vulnerabilities and attack surfaces, which shape the security challenges they face.
- Consumer IoT devices include smart home gadgets like smart speakers, thermostats, and lighting systems, as well as wearable devices like fitness trackers and smartwatches.
- Industrial IoT (IIoT) devices are used in industries like manufacturing, agriculture, and energy. They include sensors and control systems that monitor environmental conditions, machinery, and operations.
- Healthcare IoT devices help monitor patient health remotely. Examples include wearable health monitors, glucose meters, and connected medical devices like smart infusion pumps.
- Commercial IoT devices such as smart HVAC systems, inventory management tools, and connected office equipment.
- Smart City IoT devices including traffic management systems, smart parking solutions, and environmental monitoring tools that help manage urban spaces.
IoT Security Risks
When discussing IoT security risks, it is essential to mention one of the most valuable resources for IoT manufacturers, developers, and users: the OWASP IoT Top 10.
The OWASP IoT Top 10 is a list created by the Open Web Application Security Project (OWASP) to highlight the most critical security vulnerabilities in Internet of Things (IoT) devices and ecosystems.
The list reflects the evolving IoT threat landscape, focusing on risks found during penetration tests, audits, and post-incident analyses. Vulnerabilities are prioritized based on their prevalence, exploitability, and potential impact, including real-world incidents of exploitation.
Here’s a breakdown of the latest OWASP IoT Top 10 vulnerabilities (as of 2024):
OWASP IoT Top 10
1. Weak, Guessable, or Hardcoded Passwords
IoT devices often come with default passwords that are easily guessable or remain unchanged by users. Hardcoded passwords that cannot be changed are particularly dangerous as they give attackers a predictable entry point into devices.
2. Insecure Network Services
Many IoT devices expose unnecessary network services, such as legacy protocols like Telnet or FTP, which may have vulnerabilities that can be exploited. These services often run with elevated privileges, allowing attackers to gain control over the device if compromised.
3. Insecure Ecosystem Interfaces
Interfaces such as web portals, APIs, or mobile applications linked to IoT devices can have poor security practices like weak authentication, poor session management, or lack of encryption. These issues can result in unauthorized access to the device or its data.
4. Lack of Secure Update Mechanism
IoT devices need regular updates to fix security vulnerabilities, but many lack a secure mechanism for delivering these updates. Without features like code signing or encryption, attackers can intercept updates or inject malicious firmware into devices.
5. Use of Insecure or Outdated Components
IoT devices frequently use third-party software libraries or hardware components that may be outdated or contain known vulnerabilities. This introduces security risks, especially when manufacturers fail to provide timely updates or patches for these components.
6. Insufficient Privacy Protection
IoT devices often handle sensitive personal data, such as health information or location data. Insufficient privacy protection, such as transmitting unencrypted data or storing sensitive information insecurely, can expose users to identity theft or surveillance.
7. Insecure Data Transfer and Storage
Data transmitted between the IoT device and other systems may not be encrypted, allowing attackers to intercept and access sensitive information. Similarly, local data storage may lack proper encryption, making it accessible to attackers with physical access.
8. Lack of Device Management
Many connected devices do not include robust management features like logging, monitoring, or alerting, which makes it difficult to detect or respond to security incidents. This lack of visibility increases the risk of prolonged undetected attacks.
9. Insecure Default Settings
IoT devices are often shipped with insecure default settings, such as open ports, unnecessary services, or weak security configurations that users do not modify, leaving the device vulnerable to attacks out of the box.
10. Lack of Physical Hardening
IoT devices are often deployed in environments where physical access is possible, but they may lack protections like tamper detection or secure boot mechanisms. Attackers can exploit these weaknesses to access internal components, extract firmware, or tamper with the device.
Common attacks on IoT devices
The number of attacks on IoT has increased worldwide in recent years. Let’s look at the most common security threats that IoT devices face, how the attacks are conducted, and which IoT devices are most prone to those cyberattacks.
1. Denial of Service (DoS) Attacks
One of the most common threats IoT devices face is a Denial of Service (DoS) attack, which aims to overwhelm the resources of a device or an entire network, making it unavailable to legitimate users. These attacks exploit the limited processing power and bandwidth of IoT systems, often forcing them to crash or become temporarily unresponsive.
A typical method involves flooding the target with requests. Attackers send an overwhelming number of requests to the device or its associated services, such as HTTP, DNS, or MQTT. This exhausts the device’s processing power, memory, or bandwidth, eventually leading to a crash or shutdown.
Another technique is amplification attacks, where small requests are sent to a vulnerable service like NTP or DNS. These services respond with much larger data, and the amplified responses are redirected to the target device, overwhelming it.
Finally, there is the Ping of Death method. Attackers send large, malformed ping requests—also known as ICMP packets—that the device may not be able to process. If the device cannot handle these oversized or incorrect packets, it can freeze or crash.
2. Man-in-the-Middle (MITM) Attacks
In an MITM attack, the attacker intercepts the communication between an IoT device and its server or another device. This allows the attacker to eavesdrop, modify, or inject false data into the communication stream. Many smart home devices are vulnerable to MITM attacks because they use unencrypted communication channels.
Here are some common techniques and tools that attackers use to intercept and manipulate data:
- If IoT devices communicate over unsecured protocols (e.g., HTTP instead of HTTPS), an attacker can capture data packets by positioning themselves between the device and the network. Tools like Wireshark or Ettercap can be employed by malicious users to monitor network traffic.
- In local networks, attackers can use Address Resolution Protocol (ARP) spoofing to trick the network into routing traffic through the attacker’s machine. Once the attacker is in the middle, they can manipulate the data exchanged between devices.
- If IoT devices do not enforce HTTPS, an attacker can downgrade the connection from HTTPS to HTTP, thereby stripping encryption and intercepting plaintext data.
3. Firmware Reverse Engineering
In a firmware reverse engineering attack, the attacker extracts and analyzes the device’s firmware to understand its internal workings, discover vulnerabilities, or extract sensitive data such as hardcoded credentials or encryption keys. How can such an attack look?
- Attackers may obtain the firmware by downloading it from the manufacturer’s website (if publicly available) or physically dumping the firmware from the device’s memory using debugging ports like JTAG or UART.
- Once the firmware is obtained, reverse engineering tools like IDA Pro, Ghidra, or Binwalk are used to disassemble and analyze the binary. This allows attackers to understand how the device functions, locate hardcoded credentials or discover vulnerable code paths.
- Attackers may modify the firmware to insert malicious code and then re-upload the compromised firmware back onto the device.
4. Side-Channel Attacks
Side-channel attacks exploit the physical characteristics of an IoT device, such as its power consumption, electromagnetic radiation, or timing variations, to gather sensitive information like cryptographic keys. These attacks can take various forms, each targeting specific physical characteristics of the device to extract data:
- In power analysis, attackers monitor the power usage of a device while it performs cryptographic operations. Tools like oscilloscopes can be used to measure tiny fluctuations in power consumption, which may leak information about the encryption key.
- By measuring how long it takes a device to perform certain operations, such as decryption, attackers can perform timing attacks to infer secret keys. Slight variations in processing times may reveal information about the data being processed.
- Devices can also emit small electromagnetic signals during computation, making them vulnerable to electromagnetic emanation attacks. Attackers capture these signals using specialized equipment and analyze them to reconstruct cryptographic operations.
5. Botnets
A botnet attack occurs when an attacker compromises and gains control over many IoT devices, forming a coordinated network that can be remotely directed to perform large-scale malicious activities, such as distributed denial-of-service (DDoS) attacks, data theft, or network intrusion.
- To begin this process, attackers target vulnerabilities during the infection phase. They typically exploit default credentials, weak authentication, or unpatched vulnerabilities to gain access. This initial phase, allows attackers to install malware on the device. Recent IoT malware campaigns included Iran-linked IOCONTROL that targeted critical IoT infrastructure in Israel and the US such as IP cameras, routers, PLCs (programmable logic controllers), and firewalls.
- Once compromised, the devices report back to a Command and Control (C2) server. From there, attackers can issue commands, using the devices to carry out Distributed Denial of Service (DDoS) attacks, spam campaigns, or brute-force attacks.
- The malware may then begin spreading itself by scanning for other vulnerable IoT devices in the same network or across the internet. This allows the botnet to grow in size, further amplifying its potential impact.
One of the most famous IoT botnets is the Mirai botnet, first observed in 2016. It is powered by the Mirai malware, which infects vulnerable IoT devices to build a network of compromised devices capable of launching massive DDoS attacks. Recent strains of the Mirai malware, such as the “Corona” variant, have exploited zero-day vulnerabilities like CVE-2024-7029 in AVTECH IP cameras to propagate infections. Another variant targeted GeoVision devices using CVE-2024-11120.
Another example is Raptor Train (taken down by authorities in September 2024) – a Chinese state-operated botnet based on the Mirai malware strain. The botnet consisted of 250,000 infected devices worldwide, most in the United States, used to perform operations against targets in 2020-2024.
6. Credential Harvesting
Attackers often aim to steal login credentials to gain unauthorized access to IoT devices. This process, known as credential harvesting, exploits weak authentication mechanisms or relies on deceptive techniques like phishing.
One common method is brute-force attacks, where attackers use automated tools such as Hydra or Medusa to repeatedly attempt login combinations using common usernames and passwords. Since many IoT devices still use default credentials, they remain easy targets.
Another approach involves credential stuffing. If attackers have stolen credentials from other systems – often through a previous data breach – they try reusing those credentials on IoT devices. This method is particularly effective because users frequently reuse the same passwords across multiple platforms.
Phishing is also a prevalent tactic, where attackers trick users into providing their credentials. By sending deceptive emails or creating fake login pages that mimic legitimate management interfaces, attackers can capture usernames and passwords with ease.
7. Physical Tampering
In a physical tampering attack, the attacker gains direct physical access to an IoT device, allowing them to manipulate the device’s hardware or firmware, extract data, or introduce malware.
One way attackers can achieve this is by accessing debugging ports. Many IoT devices include exposed interfaces like JTAG or UART, which allow direct interaction with the hardware. Through these ports, attackers can extract firmware, alter configurations, or bypass built-in security mechanisms.
Another technique involves memory dumping. By physically tampering with the device, attackers can extract its memory contents, potentially revealing sensitive information such as encryption keys, credentials, or proprietary software.
In some cases, attackers install malicious hardware to intercept or manipulate operations. By attaching components like keyloggers or microcontrollers, they can monitor communications or alter the device’s behavior.
Industrial IoT devices, such as smart meters or factory sensors, have been frequent targets of these attacks, with modifications often aimed at interfering with readings or disrupting operations in critical infrastructure.
8. Rogue Devices and Spoofing
Rogue devices impersonate legitimate ones to gain unauthorized access, while spoofing involves falsifying a device’s identity to communicate with trusted systems.
In spoofing attacks, attackers replicate credentials, such as MAC addresses or unique identifiers, captured from network traffic. This allows them to impersonate a legitimate device and intercept or send data undetected.
Rogue devices can be introduced into a network, pretending to be trusted systems. Once accepted, they can manipulate data, intercept communications, or act as a gateway for further attacks.
Conclusion
IoT vulnerabilities – such as weak authentication, insecure communications, and unpatched components – expose devices to attacks like botnets, firmware tampering, and physical exploitation. These threats jeopardize not only individual users but also critical infrastructure and entire ecosystems.
To mitigate these risks, manufacturers must adopt secure-by-design principles, implement rigorous vulnerability testing, and ensure devices receive regular security updates throughout their lifecycle. Organizations should conduct penetration testing to identify weaknesses, deploy intrusion detection systems for real-time monitoring, and enforce strong network segmentation. Policymakers, through frameworks like the EU Cyber Resilience Act or the US Trust Mark, are instrumental in mandating these practices to enhance IoT security standards globally.
Users also play a role by changing default credentials, applying updates promptly, and securing their networks.
Creating a secure IoT ecosystem requires collaboration at all levels – manufacturers building devices with robust security features, organizations implementing proactive defenses, and policymakers enforcing effective regulations.
