Internet of Things

Lecture 6 - Security Attacks in IoT

Attacks against IoT

• Attacks against IoT critical apps
• Remote location, unsupervised
• modify & destroy nodes
• Resource constrained
• easily compromised
• Connected to the Internet
• Security solutions
• no CPU intensive solutions
• lightweight solutions

2

Image source: https://www.einfochips.com/blog/botnet-attacks-how-iot-devices-become-part-victim-of-such-attacks/

Lecture 6 - Security Attacks in IoT

IoT Botnet – DDoS attack

3

Lecture 6 - Security Attacks in IoT

Image source: https://www.imperva.com/blog/how-to-identify-a-mirai-style-ddos-attack/

Infected 65000 IoT devices in the first 20 hours

Attack Classification

4

Attacks classification

5

Source: Sengupta et al. A comprehensive survey on attacks, security issues and blockchain solutions for IoT and IIoT.

Physical Attacks

• Attacker is in the proximity of the devices

​

• Tampering
• physical modification
• device, communication channel

​

• Malicious Code Injection
• inject malicious code
• modify node behavior
• launch other attacks

6

Lecture 6 - Security Attacks in IoT

Physical Attacks

• RF Interference/Jamming
• generate noise on the wireless channel
• prevent the device from communicating
• DoS

​

• Fake Node Injection
• insert a malicious node
• capture traffic
• launch other attacks

7

Lecture 6 - Security Attacks in IoT

Physical Attacks

• Sleep Denial Attack
• Duty cycling - reduce energy consumption
• prevent nodes from sleeping
• deplete battery
• DoS

​

• Permanent Denial of Service (PDoS)
• Phlashing
• physically destroy/disable device
• Firmare, BIOS corruption
• DoS

8

Lecture 6 - Security Attacks in IoT

Physical Attacks

• Side Channel Attack
• Use external information to learn about the implementation
• Attack the physical effects of an implementation
• Passive:
• Power analysis attack
• analyse how energy is consumed
• information about cryptographic operations, keys
• Electromagnetic analysis attack
• analyse electromagnetic energy

9

Lecture 6 - Security Attacks in IoT

Physical Attacks

• Side Channel Attack
• Active:
• Electromagnetic fault injection
• apply electromagnetic impulse on memory cells
• modify the content of memory cells
• Temperature variation
• extreme temperatures
• modify memory

10

Lecture 6 - Security Attacks in IoT

Network Attacks

• Disrupt network functionality
• Affect network protocols
• routing protocols
• Steal private data

​

• Traffic Analysis Attack
• open wireless medium
• intercept packets
• steal private information

​

11

Lecture 6 - Security Attacks in IoT

Network Attacks

• RFID Spoofing
• spoof RFID packets
• steal RFID tag information
• use stolen tag to send fake data

​

• RFID Unauthorized Access
• read/modify/delete data from RFID devices
• lack of authentication

12

Lecture 6 - Security Attacks in IoT

Network Attacks

• Routing Information Attacks
• falsify/modify routing information
• fake routing messages
• compromise routing protocol
• routing loops

​

• Selective Forwarding
• compromised node that acts as a router
• route only some packets, drop packets, modify packets
• data that reaches the destination is incomplete
• compromises communication

13

Lecture 6 - Security Attacks in IoT

Network Attacks

• Sinkhole Attack
• propagate fake routing info
• pose itself as gateway/sink
• all traffic go through that node

​

• Wormhole Attack
• low latency link for tunneling packets
• to a distant part of the network
• make two distant nodes seem neighbors
• compromise routing protocol

14

Lecture 6 - Security Attacks in IoT

Network Attacks

• Sybil Attack
• asume multiple identities and locations
• compromise network, routing protocol
• unfair resource allocation

​

• Man in the Middle (MitM) Attack
• intercept and modify traffic between 2 entities
• extract private information
• modify packets

15

Lecture 6 - Security Attacks in IoT

Network Attacks

• Replay Attack
• intercept packets
• retransmit them
• may contain signature or MAC for authentication
• destination must have anti-replay protection to reject them
• overload network => DoS

​

​

16

Lecture 6 - Security Attacks in IoT

Network Attacks

• Denial of Service (DoS) Attack
• disrupt normal functionality
• target network, devices, application

​

• Distributed Denial of Service (DDoS) Attack
• carried by multiple malicious nodes
• many connection requests
• target internal or external entity
• server, other device, the whole network

17

Lecture 6 - Security Attacks in IoT

Software Attacks

• Exploit software vulnerabilities

​

• Malicious applications
• viruses
• worms
• trojans
• spyware
• adware
• backdoors
• rootkits

18

Lecture 6 - Security Attacks in IoT

Software Attacks

• Actions
• steal sensitive information
• modify and destroy data
• disable devices
• affect IoT system functionality
• infect Cloud apps

​

• Hardware trojans
• changes in integrated circuits
• altered behavior

19

Lecture 6 - Security Attacks in IoT

Data Attacks

• Data collected by IoT nodes and stored in Cloud
• Protecting user data has high priority

​

• Data Inconsistency
• attack on data integrity
• data in tranzit or stored data

​

20

Lecture 6 - Security Attacks in IoT

Data Attacks

• Unauthorized Access
• only authorized users should have access to data
• data access & ownership without authorization

​

• Data Breach/Memory Leak
• disclosure of sensitive/confidential/personal data

21

Lecture 6 - Security Attacks in IoT

Real World Attacks

22

Botnet Attacks

• Botnet
• network of infected devices controlled by hackers to launch large-scale attacks

​

• Devices get infected via malware
• phishing, software exploits, weak passwords

​

• Hackers remotely control them
• command-and-control (C&C) servers

​

• DDoS attacks, spam campaigns, data theft, cryptojacking

23

Lecture 6 - Security Attacks in IoT

Mirai Attack

• From 2016
• Malware targeting IoT devices with ARC processors
• IP cameras
• Running a simplified Linux version
• Scans for open Telnet/SSH ports

​

24

Lecture 6 - Security Attacks in IoT

Mirai Attack

• Brute-forces default/weak passwords
• Infected devices form a botnet
• Botnets are used for large-scale DDoS attacks
• against important websites and services
• Malware code was published online

25

Lecture 6 - Security Attacks in IoT

Mirai - Major Attacks

• KrebsOnSecurity (2016)
• targeting the security blog
• 620 Gpbs
• 145,000 IoT devices
• Dyn DNS attack (2016)
• targeting Dyn service provider
• 1.2 Tbps
• disrupted Twitter, Netflix, Reddit, etc.
• OVH Hosting attack (2016)
• targeting OVH french cloud provider
• 1Tbps

26

Lecture 6 - Security Attacks in IoT

Meris Botnet

• 2021
• High-powered IoT botnet
• HTTP/HTTPS flood attacks
• 30+ million requests per second (RPS)
• Targeted services:
• Yandex search engine
• Cloudflare customers
• financial institutions

27

Lecture 6 - Security Attacks in IoT

Meris Botnet

• Primary targets:
• MikroTik routers
• IoT devices with default credentials/unpatched vulnerabilities
• Propagation:
• no brute-force
• exploits known vulnerabilities
• CVE-2018-14847 on MikroTik devices
• self-replicating malware

28

Lecture 6 - Security Attacks in IoT

Meris Botnet - Real World Impact

• Case studies:
• 2021 Yandex attack: 21.8M RPS for days
• 2021 Cloudflare client attack: 17.2M RPS
• 2022 Financial sector: took down online banking portals
• Consequences:
• hours of downtime
• mitigation expenses

29

Lecture 6 - Security Attacks in IoT

Defending against Meris Attack

• Patch Routers - prioritize MikroTik (CVE-2018-14847)
• Rate Limiting - throttle HTTP requests
• Deploy Web Application Firewalls (WAFs)
• Traffic Monitoring - detect abnormal HTTP spikes

30

Lecture 6 - Security Attacks in IoT

Matrix Botnet

• November 2024
• Attacker "Matrix"
• Attack Type: DDoS
• Motivation:
• disruption, potential financial gain (DDoS-for-hire)
• Mirai botnet malware
• => older malware remains effective against unpatched systems

31

Lecture 6 - Security Attacks in IoT

Matrix Botnet

• Infection method:
• exploiting known security vulnerabilities on connected devices
• Scanning:
• tools to scan IP ranges of cloud service providers
• to search for vulnerable IoT devices

​

​

​

32

Lecture 6 - Security Attacks in IoT

Matrix Botnet

• Primary target locations: China and Japan
• higher concentration of IoT devices
• weaker security measures on some devices
• Lesson learned:
• patch devices
• stronger IoT security

33

Lecture 6 - Security Attacks in IoT

Raptor Train Botnet

• September 2024
• Over 200,000 compromised devices
• Device Types:
• Small office/home office (SOHO)
• IoT
• IP cameras
• Routers
• Network-attached storage (NAS) devices

34

Lecture 6 - Security Attacks in IoT

Raptor Train Botnet

• Suspected attacker: Flax Typhoon
• possible affiliation with the Chinese nation-state
• Active since: May 2020
• Peak activity: June 2023
• Three-tiered architecture
• complex C&C infrastructure

​

35

Source: https://blog.lumen.com/derailing-the-raptor-train/

Lecture 6 - Security Attacks in IoT

Raptor Train Botnet

• Infection method:
• exploited known and zero-day vulnerabilities
• Malware:
• customized Mirai variant called Nosedive

36

Lecture 6 - Security Attacks in IoT

Raptor Train Botnet

• Flax Typhoon => motivation:
• espionage
• establishing infrastructure for future disruptive activities
• Targeting SOHO devices:
• widespread use
• often weaker security compared to enterprise equipment
• Demonstrated a prolonged and sophisticated operation

37

Lecture 6 - Security Attacks in IoT

Enduring Threat of Mirai

• Mirai's return: still powers botnets (Matrix, Raptor Train)
• Lasting effectiveness
• Many IoT devices are still exposed
• uses default passwords & known vulnerabilities

38

Lecture 6 - Security Attacks in IoT

Eleven11bot Botnet

• March 2025
• Malware
• Over 86,000 infected IoT devices
• Primary targets:
• Security cameras
• Network video recorders (NVRs)
• Primary function:
• Conducting DDoS attacks

39

Lecture 6 - Security Attacks in IoT

Eleven11bot Botnet

• Continuous threat:
• ongoing development of IoT botnets

​

• Why target security cameras and NVRs?
• direct internet connectivity
• default/weak security measures
• susceptible to compromise to be used in disruptive attacks

40

Lecture 6 - Security Attacks in IoT

AVTECH IP Camera Vulnerability

• August 2024
• Affected devices: AVTECH IP cameras
• Used frequently in critical infrastructures:
• Finance
• Healthcare
• Transportation
• Exploitation in these sectors is highly concerning

41

Lecture 6 - Security Attacks in IoT

AVTECH IP Camera Vulnerability

• Vulnerability known since 2019
• CVE assigned in 2024
• Issue:
• systemic delays in identifying and fixing IoT vulnerabilities
• Consequence:
• vulnerabilities can persist for years, exposing critical systems
• Contributed to the spread of Mirai

42

Lecture 6 - Security Attacks in IoT

GeoVision Zero-Day Exploit

• November 2024
• Malware botnet
• Vulnerability type: zero-day
• Targeted devices: End-of-life GeoVision devices
• Purpose:
• recruiting devices for DDoS attacks
• cryptomining operations

43

Lecture 6 - Security Attacks in IoT

GeoVision Zero-Day Exploit

• Reasons for targeting end-of-life devices
• unlikely to receive security updates
• unpatched vulnerabilities
• Device lifecycle management
• replacing old IoT devices
• Zero-day exploit
• ability to discover & exploit unknown vulnerabilities

​

44

Lecture 6 - Security Attacks in IoT

Akira Ransomware Webcam Bypass

• March 2025
• Attacker: Akira ransomware gang
• Initial access point: unsecured/vulnerable webcam
• Goal:
• bypass Endpoint Detection and Response (EDR) systems
• launch encryption attacks on a victim's network

45

Lecture 6 - Security Attacks in IoT

Akira Ransomware Webcam Bypass

• EDR
• blocking ransomware on Windows
• bypassed by gaining initial access through webcam
• Important to secure all connected devices
• a single compromised device - used by attackers to bypass security
• Network segmentation
• limit potential impact of an attack coming from an IoT device

46

Lecture 6 - Security Attacks in IoT

Mars Hydro Data Exposure

• February 2025 - significant data exposure incident
• Target: Mars Hydro IoT devices
• Exposed 1.17 terabytes of data - 2.7 billion records
• Sensitive Data Exposed:
• Wi-Fi network names
• email addresses
• hashed passwords
• IP addresses
• device IDs
• etc.

​

47

Lecture 6 - Security Attacks in IoT

Mars Hydro Data Exposure

• IoT devices collecting vast amount of data
• potential for leaking
• Privacy concerns:
• exposure of personal and network information
• Exposed data could be used:
• attacks that target the users and networks

48

Lecture 6 - Security Attacks in IoT

Most Vulnerable IoT Device Types in 2024

49

Common IoT Attack Vectors

• Exploitation of known, unpatched vulnerabilities:
• Meris, Matrix, Raptor Train, AVTECH IP cameras
• Default or weak passwords:
• contributing to Mirai (Matrix, Eleven11bot) success
• Zero-day vulnerabilities:
• exploited in devices like GeoVision

50

Lecture 6 - Security Attacks in IoT

Fundamental Security Practices

• Use strong, unique passwords
• Enable automatic firmware updates
• apply patches quickly
• Use Multi-Factor Authentication (MFA)
• Replace unsupported (end-of-life) devices

51

Lecture 6 - Security Attacks in IoT

Fundamental Security Practices

• Configure devices securely
• Disable unnecessary device features and services
• Secure communication with encryption

52

Lecture 6 - Security Attacks in IoT

Fundamental Security Practices

• Robust network segmentation:
• isolate IoT devices on separate network segments
• Limit communication between IoT and other networks
• Use firewalls and access control lists

53

Lecture 6 - Security Attacks in IoT

Bibliography

• Sengupta, Jayasree, Sushmita Ruj, and Sipra Das Bit. "A comprehensive survey on attacks, security issues and blockchain solutions for IoT and IIoT." Journal of Network and Computer Applications 149 (2020): 102481. (link)
• https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
• https://blog.cloudflare.com/meris-botnet/
• https://www.aquasec.com/blog/matrix-unleashes-a-new-widespread-ddos-campaign/
• https://blog.lumen.com/derailing-the-raptor-train/
• https://deviceauthority.com/how-unsecured-iot-devices-fueled-the-eleven11bot-botnet/

54

Lecture 6 - Security Attacks in IoT

Bibliography

• https://thehackernews.com/2024/08/unpatched-avtech-ip-camera-flaw.html
• https://www.bitdefender.com/en-gb/blog/hotforsecurity/researchers-geovision-botnet-ddos-cryptocurrency
• https://www.elisity.com/blog/beyond-the-perimeter-how-akira-ransomware-weaponized-an-unsecured-webcam-to-bypass-edr
• https://moxso.com/blog/one-of-the-largest-iot-data-breaches-to-date

55

Lecture 6 - Security Attacks in IoT