Initial Access

Using fast port scanning tools, the attacker scans the network to locate a vulnerable device with an open port. The attacker then obtains the IP address of the device.



Next a payload or command is executed into the vulnerable device by using either exploits or brute forcing.  A shell command is injected into the operating system (OS) of the device. This causes a malignant file to download into the OS and execute a malware payload that carries out the malicious action.



The executed malware payload persists on the device. It disrupts the watchdog process and creates new accounts. With the operating system shell of the device left open, redundant access for the future is established.



Evasion techniques circumvent discovery or detection. Examples include clearing the system logs and command history, hiding the payload file with a masquerading filename, uninstalling the host’s security monitoring tools, and employing anti-VM and anti-debugging techniques.


information collection

During this stage, all information stored in the device is collected. This includes sensitive files including the private key and the cryptocurrency wallet. An advanced persistent threat (APT) infecting network routers and storage devices, for instance, collects sensitive data from the network traffic found in compromised devices.


command & control

The malware payload continues to launch different malicious activities such as TCP flooding, UDP flooding, and infiltration of additional devices based on different commands received from the C&C server. For C&C channels, HTTP, IRC, P2P, and other such protocols are used.


lateral movement

After compromising the first device, the attacker uses lateral movement techniques to access other vulnerable devices in the network and continues to compromise them one by one. For example, an edge router is first infected. It then continues to infect all IoT devices that are connected to it. 



Malicious activities launched in the IoT device have multiple impacts on the device: encryption of data for a ransom, total wipe out of disk and data, and abuse for coin mining. By "bricking" an IoT device, malicious malware corrupts its storage capability or completely reconfigures its kernel parameters.

For a
deeper dive...

…into the impacts of cyberattacks on the performance, usability, and serviceability of IoT devices.

8 Stages of the IoT Attack Lifecycle

Vulnerabilities in IoT devices are widely researched topics. But how does an IoT device get infiltrated with damaging malware in the first place? Parse through this interactive to learn more about what happens at each stage in the lifecycle of a cyberattack on an IoT device.