IoT Cyberattacks: Threat Types, Methods, and Effective Defense
In 2025, Polish authorities registered 682,000 reports of cyber incidents, of which 273,000 were confirmed as actual attacks. A significant share involved IoT devices (Internet of Things). Routers, cameras, smart home appliances, industrial sensors, and even refrigerators are becoming entry points into corporate networks and critical infrastructure. This article explains how IoT cyberattacks work, what techniques attackers use, and what concrete steps effectively reduce risk.
Table of contents
- What an IoT cyberattack is and why it is dangerous
- The most common methods and mechanisms of IoT cyberattacks
- Modern attack vectors: cloud, tokens, and hardware
- Real-world impact of IoT cyberattacks: scale, actors, consequences
- How to defend against IoT cyberattacks - effective strategies and regulations
- Why traditional IoT protection strategies are no longer enough - our perspective
- Advanced tools and hardware for IoT penetration testing at Sapsan
- Frequently asked questions
Key Takeaways
| Point | Details |
|---|---|
| Scale of the IoT threat | Attacks on IoT devices are growing rapidly, with home equipment increasingly becoming a target. |
| Diverse attack techniques | Cybercriminals use both classic and modern, harder-to-detect mechanisms. |
| New regulations | EU rules force the rollout of mandatory IoT safeguards from 2025-2027. |
| Effective defense | Regular updates, network segmentation, and monitoring of cloud communication are essential. |
What an IoT cyberattack is and why it is dangerous
IoT means any device connected to the internet other than traditional computers and smartphones. IP cameras, smart thermostats, industrial PLC controllers, home routers, alarm systems, and even medical equipment. An IoT cyberattack is any action aimed at taking control of such a device, disabling it, or using it for further offensive operations.
IoT devices are exceptionally vulnerable for several reasons. Manufacturers often use default, identical passwords across an entire product line. Firmware updates are rare or completely unavailable a few years after release. The devices' computing resources are too limited to run advanced encryption or anomaly detection mechanisms. On top of that, users rarely monitor the traffic these devices generate.
For attackers, IoT is an ideal environment. Millions of poorly secured network nodes, available 24 hours a day, running predictable software. A classic example is the Mirai botnet, which in 2016 infected hundreds of thousands of IoT devices, mainly cameras and routers with default passwords, and carried out one of the largest DDoS attacks in internet history, targeting the DNS provider Dyn and cutting off access to services such as Twitter, Reddit, and Spotify.
| IoT device characteristic | Security risk |
|---|---|
| Default factory passwords | Easy takeover by network-scanning bots |
| No firmware updates | Known vulnerabilities remain unpatched |
| Permanent network connection | Continuous exposure to port scanning |
| Limited computing resources | No room for protective mechanisms |
| Large device count | Scale makes botnet assembly easier |
It is also worth remembering that Turris Omnia is an example of a router designed with regular updates and IoT network security in mind, which is the exception rather than the rule on the market.
The most common methods and mechanisms of IoT cyberattacks
Once you understand the vulnerabilities, it is worth reviewing the specific techniques. Attacks on IoT include DDoS botnets, ransomware, Man-in-the-Middle, firmware exploits, and phishing. Each of these methods has different logic and different consequences.
Main types of attacks on IoT:
- DDoS through botnets - infected devices send massive traffic to a target, overloading servers
- Ransomware - malicious software blocks access to a device or data and demands a ransom
- Man-in-the-Middle (MitM) - the attacker intercepts communication between the device and the server
- Firmware exploits - exploiting known flaws in the device's software
- Cloud token theft - taking over API tokens or accounts on cloud platforms managing IoT, bypassing classic firewalls
- Credential stuffing - automated testing of default or leaked passwords
| Attack type | Goal | Detection difficulty |
|---|---|---|
| DDoS botnet | Overload the infrastructure | Medium |
| Ransomware | Block the device or data | Low (visible effect) |
| MitM | Intercept data | High |
| Firmware exploit | Persistent device takeover | Very high |
A typical attack follows a defined pattern:
- Scanning - the attacker scans the internet looking for devices with open ports (e.g. Telnet 23, SSH 22, HTTP 80)
- Identification - recognition of the device model and firmware version
- Authentication - login attempt with default or leaked credentials
- Infection - delivery of malicious software or a backdoor
- Persistence - ensuring the foothold survives a device reboot
- Exploitation - enrolling the device into a botnet or stealing data
Pro tip: Network traffic monitoring is the first and fastest alarm. An IoT device that suddenly generates several hundred MB of outbound traffic per day is suspect. Network traffic analysis tools combined with proper IoT router configuration with VLAN segmentation make it possible to isolate anomalies before they lead to serious consequences.
Modern attack vectors: cloud, tokens, and hardware
Traditional attacks required direct exposure of the device to the internet. New vectors bypass that requirement entirely. Attacks through cloud management channels take control of a device without firmware exploits and without a public IP address. This is a fundamental shift in the logic of threats.
How does it work? Most modern IoT devices connect to the manufacturer's cloud through an outbound HTTPS connection. The firewall lets that traffic through unchallenged. An attacker who has taken over a cloud account or forged an authentication token can issue commands to a device that has never been directly accessible from the outside.
Key cloud attack vectors:
- Theft of API tokens or accounts on IoT management platforms
- Impersonation of the cloud server through attacks on TLS certificates
- Injection of malicious firmware updates through the legitimate OTA (Over-the-Air) channel
- Exploitation of authorization-logic flaws in cloud platforms
Hardware attacks are evolving in parallel. JTAG and UART diagnostic interfaces, physically accessible on the PCBs of many devices, allow direct firmware reading and modification. For a pentester, this is a standard audit tool. For an attacker with physical access to the device, for example in a hotel, an office, or a hospital, it is a vector that is hard to block without proper physical security procedures.
"Classic attacks require IP exposure or known CVEs. Modern attacks through the cloud bypass these conditions, which forces an entirely new approach to monitoring and device certification."
The lack of regular firmware updates remains a critical problem. Manufacturers often end support after 2 to 3 years, leaving millions of devices with unpatched vulnerabilities. A device bought in 2021 may today be running firmware with an unpatched CVE from three years ago.
Real-world impact of IoT cyberattacks: scale, actors, consequences
The scale of the problem is global, but it also affects Polish networks. According to 2025 data, state actors, including China, are building botnets from home IoT devices to attack critical infrastructure. The intelligence services of the Five Eyes alliance (USA, United Kingdom, Canada, Australia, New Zealand) have issued a joint warning about botnets made up of hundreds of thousands of home routers and IP cameras.
| Consequence type | Example | Scale |
|---|---|---|
| Internet access outages | Mirai attack on Dyn DNS in 2016 | Global |
| Ransomware extortion | Lockout of industrial devices | Organization |
| Data leakage | IP cameras as an entry point | Individual/corporate |
| Attacks on critical infrastructure | State-run botnets | National |
Concrete consequences for organizations and users:
- Loss of access to building or production management systems
- Data leaks from surveillance cameras or environmental sensors
- Use of the corporate network to attack third parties (legal liability)
- Costs of cleaning up infections and restoring systems, often counted in tens of thousands of zloty
- Reputational consequences for companies whose infrastructure becomes part of a botnet
One little-known fact is worth highlighting: the owner of an infected device is often not the direct victim of the attack. Their router or camera is attacking someone else. As a result, the infection can last for months without any visible symptoms on the owner's side.
How to defend against IoT cyberattacks - effective strategies and regulations
Defending against IoT attacks requires several parallel actions. No single tool is enough. EU regulations, including RED from August 2025 and the Cyber Resilience Act from 2027, force the rollout of security requirements covering network protection, privacy, and resilience to fraud. This is the legal minimum, not optimal protection.
Proactive IoT protection step by step:
- Change default passwords immediately after powering on every device
- Network segmentation - IoT devices on a separate VLAN, isolated from the production network
- Regular firmware updates - automatic wherever possible
- Disable unused services - Telnet, UPnP, remote management over HTTP
- Network traffic monitoring - detection of anomalies in device communication
- Device inventory - a complete list of every IoT node on the network
- Cloud vendor verification - checking the security policy of IoT management platforms
- Penetration testing - regular security audits of IoT infrastructure
Pro tip: The importance of regular IoT updates is often underestimated. Rolling out automatic firmware updates wherever the manufacturer offers them eliminates an entire class of attacks based on known CVEs. For unsupported devices, replacement or network isolation is worth considering.
The RED (Radio Equipment Directive) regulations from August 2025 require new radio and IoT devices to meet network protection, user data, and financial fraud resilience requirements. The Cyber Resilience Act, which enters into force in 2027, extends these requirements across the entire product lifecycle, including mandatory security updates for at least 5 years or for the expected product lifecycle if it is shorter. For companies buying IoT equipment, this means new criteria for selecting suppliers.
Why traditional IoT protection strategies are no longer enough - our perspective
For years, the standard for IoT protection was a simple equation: firewall plus password change plus updates. That model assumed the attacker had to break through a network barrier and that known vulnerabilities were the main vector. Both assumptions are no longer valid.
Modern attacks through the cloud bypass classic network barriers without the need for IP exposure or known CVEs. A device behind NAT, with no open ports, protected by a next-generation firewall, can be taken over via a compromised API token. Classic tools will not detect that.
What can you do about it? Monitoring must cover outbound traffic to cloud platforms, not only inbound traffic from the outside. Automated detection of behavioral anomalies, that is, deviations from a device's normal communication pattern, is more important today than a list of malware signatures.
Compliance with RED and the Cyber Resilience Act is a starting point, not a goal. Companies that treat compliance as sufficient protection are exposed to attacks via vectors the regulations do not yet cover. Real security requires continuous testing of one's own infrastructure, not only product certification.
The lesson from real-world incidents is simple: attackers always pick the weakest link. In environments with well-secured servers, that link is increasingly the IP camera in a conference room or the thermostat in a server room.
Advanced tools and hardware for IoT penetration testing at Sapsan
Knowledge of threats is the foundation. Practical testing of your own infrastructure is the next step that genuinely raises the security level.
Sapsan offers specialist hardware for audits and penetration tests of IoT environments. For testing access control and wireless communication in IoT devices, Flipper Zero is the tool of choice, a versatile multitool supporting NFC, RFID, Sub-GHz, BLE, iButton, and IR. It allows you to audit smart locks, card readers, gate remotes, alarms, and intercoms - the typical exposure points in an IoT ecosystem. For pentesters investigating USB attack vectors, USB Rubber Ducky is available, a classic tool for simulating BadUSB. Comprehensive on-site testing in a client's infrastructure is enabled by uConsole Kit RPI-CM4 Lite, a mobile Linux station for the pentester on which you can run Kali, your own scripts, and tools for auditing the application and network layer in cloud-based IoT ecosystems. The full range is available with worldwide shipping.
Frequently asked questions
How can I tell that my IoT device has fallen victim to a cyberattack?
The symptoms are loss of control over the device, network slowdowns, unknown outbound connections, and ransom messages. Ransomware blocks access to devices, while botnets cause anomalies in network traffic that can be detected through monitoring.
Which IoT devices are currently most at risk?
The most exposed are poorly secured routers, IP cameras, smart home appliances, and devices that have not been updated for years. Mirai mainly infected cameras and routers with default passwords, which remains a relevant pattern to this day.
Do IoT cyberattacks affect only consumers?
No, IoT attacks affect home users as well as companies and critical infrastructure. Botnets built from home IoT devices are used by state actors to attack national and corporate infrastructure.
Which EU regulations are intended to improve IoT security?
The RED directive from 2025 and the Cyber Resilience Act from 2027 will force the rollout of mandatory security requirements for IoT devices placed on the EU market.