10 IoT Threats Solution Providers Should Look Out For

IoT Under Siege

Researchers are finding a plethora of security risks as more devices become connected to the Internet. In a recent report by Kaspersky Lab, the research company found that the number of new IoT malware samples this year has already doubled that of last year.

According to Kaspersky, connected devices running Linux have attracted 7,200 malware samples from last May, more than double last year's sample total of 3,200.

Over the past few months, solution providers have seen an array of security attacks – from denial-of-service malware Brickerbot to IP camera-targeted Persirai – crop up in the IoT space. Here are 10 different Internet of Things security threats that partners deploying solutions should look out for.


The Mirai botnet is infamous for its role in the October DDoS attack, which was launched through IoT devices and that blocked an array of websites like Twitter and Netflix.

Mirai was launched through webcams, routers and video recorders to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites.

The botnet identifies vulnerable IoT devices and logs into them to infect them with malicious software codes, knocking out access by flooding websites with junk data.


In May, Trend Micro released details on an IoT botnet called Persirai that targets internet protocol cameras.

According to Trend Micro, the botnet had targeted over 1,000 IP cameras – but more than 120,000 IP cameras were vulnerable to the malware, based on various OEMs.

Persirai takes advantage of open Universal Plug and Play port on IP cameras to infect them, then connect to a command-and-control server to download software. This software is then used to launch distributed-denial-of-service attacks against specific targets.


IT security firm Radware in April revealed a new Internet of Things malware, Brickerbot, which disables vulnerable IoT devices so that they're left inoperable.

This type of attack, which Radware described as a "permanent distributed denial of service," can destroy the firmware or basic functions of IoT device systems. According to Radware, the Brickerbot attack was targeted specifically at Linux-based IoT devices, which have their Telnet ports open and are exposed publicly on the internet. Those targeted are matching the devices that are targeted by Mirai or other IoT botnets.

Radware said the attacker could be a "grey hat" hacker who wants to expose vulnerable IoT devices or brick them to prevent future distributed denial-of-service (DDoS) attacks.


Trend Micro in June released details of DvrHelper, a newer version of Mirai, which targets vulnerable IP cameras. DvrHelper has evolved to help avert distributed denial of service prevention solutions with additional DDoS attack modules.

While DvrHelper is the first malware designed to bypass an anti-DDoS solution, it only infected about 6.8 percent of the 3,675 compromised cameras analyzed by Trend Micro (the majority were infected by Persirai).


TheMoon malware is the oldest malware targeting Internet of Things devices, according to Trend Micro. This family was first discovered in 2014, and it continually upgrades its attack methods and targets new vulnerabilities.

While TheMoon initially infected routers like Linksys E1000s in 2014, the malware has evolved to target today's IoT devices like IP cameras.


Hajime is an IoT malware strain first discovered last October, and has compromised almost 300,000 devices, according to Kaspersky Lab. The botnet infects devices, which mostly include digital video recorders, webcams and routers, and blocks access to an array of ports.

Researchers say Hajime appears to be the work of a vigilante who does not want to use infected devices for bad purposes but instead take over smart devices before botnets like Mirai can.


A new malware strain, Imeij, was discovered in March by Trend Micro. This malware exploited a security flaw in equipment made by Taiwanese manufacturer AVTech.

According to Trend Micro, AVTech engineers failed to patch the security flaw in October 2016.


Researchers in August said that malware compromised more than one million connected video cameras and DVRs. The consumer IoT devices were used as part of DDoS attacks and were infected by a malware family known as Bashlite, but also called by other names like Lizard Stresser and Gafgyt.


Tsunami, identified in April, is an IoT botnet that targets an unpatched remote code execution vulnerability in digital video recorder devices. Researchers say Tsunami is the first Linux malware to adopt virtual machine evasion techniques in order to defeat malware analysis sandboxes.

The vulnerability, which was publicly disclosed in 2016, is on DVR devices made by TVT Digital. Tsunami exploits this remote code execution vulnerability by scanning for and attacking vulnerable systems, then gaining full control of the device to launch broad DDoS attacks. Researchers say Tsunami has not yet been used to mount a large-scale attack.


A threat called NyaDrop turned heads in October 2016 when it posed as a threat for IoT devices running on the open-source Linux OS. Vulnerable devices include DVRs, CCTV cameras and other IoT devices whose MIPS systems use a 32-bit CPU.

When the lightweight binary is installed on vulnerable IoT devices, it then loads other malware onto the infected devices.