IoT Security - Anatomy of IoT cyber attacks

Perry Lea

March 18, 2019

Perry LeaMarch 18, 2019

Editor's Note: Securing the Internet of Things is critical not only for the integrity of data streams and software within each IoT application, but also for the integrity of the enterprise resources tied into those applications. IoT security is a complex problem, requiring a systematic approach for understanding possible threats and corresponding mitigation methods.


Adapted from Internet of Things for Architects, by Perry Lea.

Chapter 12. IoT Security
By Perry Lea

Anatomy of IoT cyber attacks

The area of cybersecurity is a broad and massive topic beyond the scope of this chapter. However, it is useful to understand three types of IoT-based attacks and exploits. Since the topology of the IoT consists of hardware, networking, protocols, signals, cloud components, frameworks, operating systems, and everything in-between, we will now detail three forms of prevalent attacks:

  • Mirai: The most damaging denial of service attack in history that spawned from insecure IoT devices in remote areas.

  • Stuxnet: A nation-state cyber weapon targeting industrial SCADA IoT devices controlling substantial and irreversible damage to Iran's nuclear program.

  • Chain Reaction: A research method to exploit PAN area networks using nothing but a lightbulb—no internet needed.

By understanding the behaviors of these threats, the architect can derive preventative technologies and processes to ensure similar events are mitigated.


Mirai is the name of malware that infected Linux IoT devices in August of 2016. The attack came in the form of a botnet that generated a massive DDOS storm. High-profile targets included Krebs on Security, a popular internet security blog, Dyn, a very popular and widely used DNS provider for the internet, and Lonestar cell, a large telecom operator in Liberia. Smaller targets included Italian political sites, Minecraft servers in Brazil, and Russian auction sites. The DDOS on Dyn had secondary effects on other extremely large providers that used their services such as Sony Playstation servers, Amazon, GitHub, Netflix, PayPal, Reddit, and Twitter. In total, 600,000 IoT devices were infected as part of the botnet collective.

Mirai source code was released on (a hacker blog site). From the source and through traces and logs, researchers have uncovered how the Mirai attack worked and unfolded:

  1. Scan for victims: Perform a rapid asynchronous scan using TCP SYN packets to probe random IPV4 addresses. It specifically looked for SSH/Telnet TCP port 23 and port 2323. If the scan and port attached successfully, it entered phase two. Mirai included a hardcoded blacklist of addresses to avoid. The blacklist consisted of 3.4 million IP addresses and contained IP addresses belonging to the US Postal Services, Hewlett Packard, Ge, and the Department of Defense. Mirai was capable of scanning at about 250 bytes per second. This is relatively low as far as a botnet is concerned. The attacks like the SQL Slammer generated scans at 1.5 Mbps, the principle reason being that IoT devices typically are much more constrained in processing power than desktop and mobile devices.

  2. Brute Force Telnet: At this point Mirai attempted to establish a functional Telnet session with a victim by sending 10 username and password pairs randomly using a dictionary attack of 62 pairs. If a login was successful, Mirai logged the host to a central C2 server. Later variants of Mirai evolved the bot to perform RCE exploits.

  3. Infect: A loader program was then sent to the potential victim from the server. It was responsible for identifying the operating system and installing device- specific malware. It then searched for other competing processes using port 22 or 23 and killed them (along with other malware that could already be present on the device). The loader binary was then deleted and the process name was obfuscated to hide its presence. The malware did not reside in persistent storage and didn't survive a reboot. The bot now stayed dormant until it received an attack command.

The devices targeted were IoT devices comprising IP cameras, DVRs, consumer routers, VOIP phones, printers, and set-top boxes. These consisted of 32-bit ARM, 32-bit MIPS, and 32-bit X86 malware binaries specific to the IoT device being hacked.

The first scan occurred on August 1, 2016, from a US web hosting site. The scan took 120 minutes before it found a host with an open port and password in the dictionary. After one additional minute, 834 other devices were infected. Within 20 hours, 64,500 devices were infected. Mirai doubles in size in 75 minutes. Most of the infected devices that turned into botnets were located in Brazil (15.0%), Columbia (14.0%), and Vietnam (12.5%), although the targets of the DDOS attacks were in other regions.

The damage was confined to DDOS attacks. The DDOS attacks came in the form of SYN floods, GRE IP network floods, STOMP floods, and DNS floods. Over the course of five months, 15,194 individual attack commands were issued by the C2 servers and hit 5,042 internet sites. On September 21, 2016, the Mirai botnet unleashed a massive DDOS attack on the Krebs on Security blog site and generated 623 Gbps of traffic. That accounted for the single worst DDOS attack of all time. The following is a real-time screenshot captured during the Mirai attack using a collaboration between NETSCOUT Arbor and Google Jigsaw.

click for larger image

A view of the Mirai DDOS attack on the Krebs on Security website; courtesy of


Stuxnet was the first known documented cyber weapon released to permanently damage another nation's assets. In this case, it was a worm that was released to damage SCADA- based Siemens Programmable Logic Controllers (PLC) and used a rootkit to modify the rotational speed of motors under the direct control of the PLC. The designers went out of their way to ensure the virus targeted only devices with rotational spin rates of slave variable frequency drives attached to Siemens S7-300 PLCs rotating at 807 Hz and 1210 Hz, as they are typically used for pumps and gas centrifuges for uranium enrichment.

Continue to page two of this article >>

< Previous
Page 1 of 2
Next >

Loading comments...