Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //


// // //
08:05 AM
Alan Zeichick
Alan Zeichick

Get Ready for Realistic Attacks on the Internet of Things

Good news: We haven't seen a widespread action against IoT devices. Bad news: IoT devices are shockingly vulnerable.

"Everyone wants to attack the Internet of Things! Oh, no, the sky is falling!" pundits say, some meaningfully, some sarcastically. I've heard a lot about threats against the IoT at events like this past spring's RSA Conference and this month's Black Hat 2018. Those warnings are justified.


The good news is that we haven't seen a widespread action against IoT devices -- or at least, we haven't heard about one yet. The bad news is that IoT devices are shockingly vulnerable. Nobody knows where they are and what software they're running. Many of them are running out-of-date software and either can't be or won't be updated. Some of them have enough horsepower, bandwidth and data to be credible targets.


Let's move out of "The sky is falling!" mode (which isn't helpful) and try to understand likely attack scenarios that could be deployed against IoT devices.


A root source for this discussion is a taxonomy of IoT threats published by the European Union Agency for Network and Information Security (ENISA), called "Baseline Security Recommendations for IoT in the context of Critical Information Infrastructures."


Attacks against the IoT don't necessarily mean compromising end-point devices themselves. Sure, unpatched and otherwise insecure devices are vulnerable. But so are the devices they connect to, either with wires or without -- including networking infrastructure, like routers, switches and gateways. The on-premises and cloud-based servers are also points of attack, as well as databases and other repositories for that information.


For example, remember that every use of a credit-card skimmer is an attack on an IoT device -- and so is every breach of a retail store's database of stored customer information gathered from its point of sale kiosks.

Geralt via Pixabay
Geralt via Pixabay

Here are some of the threats in a taxonomy of IoT attacks:

  • Malware: Placing software onto IoT devices or servers to damage the device, corrupt data, steal data -- or spread more malware
  • DDoS: Use many IoT devices to flood some other attack victim across the Internet with unwanted traffic, resulting in a Distributed Denial of Service attack.
  • Counterfeit attack: Using faked credentials to simulate an IoT device, perhaps to compromise data or perhaps to steal data.
  • Privacy attacks: Trying to steal information about people in general, or specific people, in order to learn more about them, such as bank information, passwords or other info.
  • Modification of information: Manipulating information for some illicit purpose, such as to cause chaos or steal information. Think about tricking a police department into thinking there is a robbery, so they divert resources away from other areas.
  • Man in the middle: Basically eavesdropping as a middleman, the hackers relay presumed-to-be-safe information from an IoT device to its server… while keeping a copy for themselves.
  • Session hijacking: Acting as a legitimate host in order to seal, modify or delete information, such as authentication credentials or telemetry.
  • Service outage: Disrupting communications between an IoT device and its host, perhaps by causing network errors, to deny service.

Realistic attack scenarios
In the guide mentioned above, the ENISA researchers postulate many attack scenarios that could be deployed against IoT devices or systems. Here are three, and I'm quoting directly from the ENISA report here:


Attack against sensors, modifying their values or thresholds
The attacker manipulates the configuration of the sensors, changing the threshold values established on the sensors to allow out-of-range read values to be accepted when they should not, posing a severe threat to the systems and installations. Because larger installations usually have multiple and redundant sensors, the attacker would have to compromise multiple sensors for the attack to be efficient. If only one were compromised, the readings could be compensated with the input from the rest of the sensors.


Impact:Allowing sensors to report and accept incorrect values puts the IoT environment at risk. A malfunctioning sensor may allow a power spike to go through, physically damaging the systems.


Attack against actuators, modifying or sabotaging their settings
Manipulation of the actuators' configuration or parameters to make them use wrong configurations, thresholds or data, and therefore affect their normal behavior by sabotaging their operation settings.


Impact:It varies depending on the actuators affected. It can affect production processes.


Attacks against the IoT administrative systems
An attacker tries to gain full control over the administration system of an IoT system or device, potentially compromising the whole environment. It can be quite successful if weak or default passwords are used. This type of attack comprises different stages, and it is usually launched in a covert manner. It should be noted that this type of attack should be taken into account for the entire life cycle of the device.


Impact:The compromise, manipulation or interruption of certain IoT systems could affect many people, cause environmental issues and even extend to other systems, affecting their communications or even disabling them.

Maybe the sky is falling
IoT has the potential to be incredibly useful, but security is key. If sensors are compromised, the sky might be falling and we wouldn't even know it. If actuators are attacked, our own devices could be causing the sky to fall. And if administrative systems are breached, there ain't nothing we can do about it.

Related posts:

Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...