The security requirements of an Internet of Things (IoT) system are complex. They extend past the traditional information security requirements of confidentiality, integrity and availability. They also need to address authentication, authorization, freshness of data, nonrepudiation, and forward and backward secrecy.

Taking Stock of Today’s IoT Security Risks

With these security requirements in mind, let’s take a look at some key IoT security risks. IoT architecture is not yet standardized and various vendors have their own architectures. In general, however, an IoT architecture contains at least the following three layers: a sensor layer, a network layer and an application layer. Attacks can be broadly categorized as physical, network, software or encryption attacks.

Physical Attacks

Physical attacks target the hardware of an IoT system and include breaches at the sensor layer. They typically require physical proximity to the system but can also involve actions that limit the efficacy of IoT hardware.

Attackers can tamper with nodes to gain control over sensor nodes or devices in an IoT environment and use that control to extract materials, data and code. With malicious node injection, attackers can physically deploy malicious nodes between legitimate nodes in an IoT network. Also known as a man-in-the-middle (MitM) attack, the malicious nodes can then control operations and the data flowing between linked nodes.

Injecting malicious code enables attackers to access IoT systems, for example by plugging a USB key into a device on the network. An attacker can compromise a node by physically injecting it with malicious code that would grant access to the IoT system.

Attackers can physically damage IoT devices to disrupt the availability of service. Also at risk are areas controlled by IoT systems or facilities that host them, such as data centers. Cybercriminals could also conduct distributed denial-of-service (DDoS) attacks through signal interference on radio-frequency identification (RFID) systems and radio frequency interference on wireless sensor networks.

Using social engineering, attackers can control users of an IoT system to serve their own ends. They can also launch sleep deprivation attacks, which target the vulnerability of battery drainage in devices and sensors in an IoT system. Most devices have a sleep mode to extend battery life, but sleep deprivation attacks maximize the power consumption of nodes to ultimately shut them down.

Network Attacks

Network attacks target the IoT system network layer and can be conducted remotely. DDoS attacks are perhaps the most widely known network IoT security risk. Typically, they involve overflowing network devices with more requests than they can handle, thus preventing the server from answering legitimate requests. Using sniffing applications, attackers can perform traffic analysis to infer information based on communication patterns between devices in an IoT network. Even encrypted information can be deduced from this data without decryption.

Spoofing, Cloning and Unauthorized Access

RFID attacks include spoofing, cloning and unauthorized access. RFID spoofing is when an attacker impersonates an RFID signal to read and record transmitted data. Cloning occurs when the attacker copies data from a legitimate tag to gain access to an IoT network. Fraudsters can often gain unauthorized access to RFID tags due to poor authentication that enables them to read, change and delete data.

Attackers spoof RFID signals to read and record a data transmission from an RFID tag. In addition, attackers can used the spoofed RFID tag, then send their own data containing the original tag ID. In this way, an attack can gain full access to the system by pretending to be the original source.

Sinkhole Schemes

An attacker can lure all traffic from wireless sensor network (WSN) nodes to create a metaphorical sinkhole. This type of attack breaches the confidentiality of the data and also denies service to the network by dropping all the packets instead of forwarding them to the desired destination.

In a sinkhole attack, attackers use compromised or malicious nodes to attract packets from neighboring nodes. They can then selectively forward, alter or drop traffic, leading to data confidentiality issues, or deny service to the network.


Cybercriminals can also launch MitM attacks using the network communication protocols. In real time, attackers can interfere in communications between two nodes by posing as a legitimate node. This enables the malicious actor to monitor, eavesdrop on and control communications between the two legitimate nodes.

Attackers might target the routing protocol in IoT networks to alter the traffic flow through a compromised node, reconfigure the network topology, create routing loops, generate false errors or modify source routes. In a Sybil attack, for example, fraudsters create fake node identities or mimic legitimate ones. These are then used to generate false and malicious information to compromise an IoT system.

Software Attacks

The biggest IoT security risks involve software. Software attacks can exploit entire systems, steal information, alter data, deny service and compromise or damage devices.

In a phishing attack, for example, fraudsters gain access by impersonating a legitimate entity to trick users into providing access or credentials. Attackers also use malware, such as viruses, worms and Trojans, to damage or delete data, steal information, monitor users and disrupt key system functions. Meanwhile, malicious ActiveX scripts can target users with access to the network gateway to shut down the IoT system entirely.

Attackers can also target software at the application layer to execute DDoS attacks. In addition to shutting down access to legitimate users, application layer attacks expose databases and sensitive data.

Encryption Attacks

IoT security risks also include attacks that target encryption schemes. Instead of targeting the cryptographic algorithms themselves, side-channel attacks target the implementation of those algorithms. Attackers can infer the encryption key by analyzing physical measurements during computation and the internal state of the physical device during processing.

Cryptanalysis attacks attempt to deduce encryption keys by searching for weaknesses in the cryptographic algorithm. Depending on the information available to the attacker, cryptanalysis attacks can take following forms: ciphertext-only, chosen-plaintext, adaptive-chosen-plaintext, chosen-ciphertext and adaptive-chosen-ciphertext.

Encryption schemes are also vulnerable to MitM attacks in which a malicious actor intercepts communication between two users and decrypts data using keys shared with both of them. As in other MitM attacks, users continue assume they are communicating only with each other.

Potential attacks on IoT systems are many and varied. In a future post, we will look at some measures and strategies IT managers can implement to mitigate risks and ensure the security and resilience of their IoT environments.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read