Incident response

Network traffic analysis for IR: Analyzing IoT attacks

Fakhar Imam
February 19, 2020 by
Fakhar Imam


The Internet of Things (IoT) incorporates everything from tiny sensors and devices to huge structures like cloud computing. IoT includes the major networks types, such as vehicular, ubiquitous, grid and distributed. From childcare to elder care, from entering patient details to post-surgery care and from parking vehicles to tracking vehicles, sensors play a pivotal role.

Although IoT does play a crucial role in human life, detecting IoT attacks and ensuring security has become a bottleneck for incident responders (IR) and security engineers. Unfortunately, no network is 100% secure in the face of cybersecurity threats and vulnerabilities. The conventional internet is insecure and IoT networks are even more insecure due to resource-constrained characteristics. 

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Note that we say resource-constrained IoT due to their small size and tiny components. They have limited or bare-minimum resources available.

According to the 2020 Global IoT/ICS Risk Report released by CyberX, IoT/ICS networks and unmanaged devices are soft targets for threat actors, resulting in an increase of expensive downtime, catastrophic safety and incidents related to environments and theft of critical intellectual property. Unlike survey-based studies, this report is based on analyzing the real-world traffic from more than 1800 IoT/ICS networks across many companies in the world in order to make it represent the accurate current state of IoT/ICS security.

The incident responders (IR), either working individually or in a Security Operation Center (SOC), can perform network traffic analysis to detect IoT attacks. They can do this through some security techniques such as Telnet IoT honeypot, Snort IDS and Donaea honeypot.

In this article, we will shed light on the introduction of IoT, vulnerabilities and attacks associated with IoT, analyzing IoT attacks and potential security measures to safeguard IoT-enabled devices.

What is IoT?

IoT, an abbreviation of the Internet of Things, is a novel paradigm that consists of internet-enabled devices and systems that feature IP addresses for internet connectivity. The word “things” in IoT indicates both physical and virtual networked devices, ranging from self-driving cars, printers, smartphones, tablets, surveillance cameras, robotics, household appliances, wearable devices, smart grid, Ultra-Wideband (UWB), Infrared Data Association (IrDA), ZigBee, NFC data centers and Wi-Fi and cellular networks. The Supervisory Control and Data Acquisition (SCADA) is an important pillar of IoT that is the autonomous able to monitor smart systems.

Microcontroller-based processors consisting of 16-bit or 32-bit are used in IoT devices that have computational power and capabilities to send and receive instructions from people-to-people (P2P), people-to-machine (P2M) and machine-to-machine (M2M). Other tiny components include sensors, actuators, GPS services, nano technologies, cloud computing, wireless sensor network (WSN), radio frequency identification (RFID) and near field communication (NFC) technologies.

IoT is making life easier by opening the floodgates of new business opportunities. Gartner predicted that the number of global IoT-based devices would grow from 3.81 billion in 2014 to 20.41 billion in 2020. Though IoT is playing a crucial role in making technology more efficient for human beings, this technology nevertheless faces numerous challenges due to potential IoT vulnerabilities and attacks.

What are some potential IoT vulnerabilities?

Vulnerabilities are weaknesses, mistakes or security loopholes in IoT devices that invite IoT attacks. Exploiting these vulnerabilities, the cybercriminals can execute commands either remotely or locally, gain unauthorized access to an IoT network, disrupt normal operations of IoT devices or damage the IoT altogether.

The vulnerability can exist in both IoT hardware and software components. Hardware vulnerabilities are difficult to detect and much harder to fix due to various embedded microprograms. Hardware vulnerabilities often cannot be easily fixed due to lack of technical expertise, cost, interoperability or incompatibility. Similarly, software vulnerabilities exist in software components such as operating systems, communication protocols and other application programs. 

The Open Web Application Security Project (OWASP) published a document known in the industry as the “IoT Top 10 Security Vulnerabilities.” The list reads as follows:

  1. Insecure web interface
  2. Insufficient authentication and authorization
  3. Insufficient security configuration
  4. Insecure network service
  5. Lack of transport encryption
  6. Privacy issues
  7. Insecure mobile interface
  8. Insecure cloud interface
  9. Insecure software or firmware
  10. Poor physical security 

What are IoT attacks?

According to Forbes, cyberattacks on IoT devices surged 300% in 2019, measured in billions. McAfee also believes that malware attacks on IoT gadgets will continue to occur, as more than 25 million smart speakers or voice assistants are already in use. Kaspersky honeypots (a network of virtual copies of numerous internet-connected devices) detected more than 100 million attacks on smart devices in the first six months of 2019.

IoT has become a valuable and attractive target of malicious actors. Nowadays, cyberthreats and attacks appear in greater frequency and sophistication while IoT security remains inefficient to safeguard itself in the face of these attacks.

Symantec reported in 2019 that many IoT-based attacks took place in the tried-and-true DDoS realm. Below is the list of IoT-related attacks:

  • DDoS attack
  • Byzantine failure
  • Sybil attack
  • Backdoor
  • Replay attack
  • Phishing and spam attacks
  • Eavesdropping
  • Botnet
  • IP spoof attack
  • HELLO flood attacks
  • Witch attack
  • Sinkhole attack
  • Selective forwarding attack
  • Wormhole attack

Analyzing IoT attacks

Today’s internet ecosystem is on the verge of destruction due to the tremendous growth of vulnerable IoT devices. In fact, a compromised IoT device can act as a “bot” or can be used to launch distributed denial-of-service (DDoS) attacks on a large scale. In 2016, a Mirai botnet launched a massive DDoS attack that damaged internet provision on the east coast of the United States.

Telnet IoT honeypot

The Telnet IoT honeypot is developed in Python. It is specifically designed to detect IoT attacks by exploiting vulnerabilities in IoT devices, which are based on Telnet protocols. 

This honeypot captures attacks that launch botnets through compromised IoT. If an attacker successfully logs in to the device using the Telnet protocol, incident responders using a Telnet IoT honeypot can capture a compromised username and password along with malicious operations taken by a bad guy. The incident response team also captures the binaries, source IP and port used to launch the attack.

Snort IDS

Snort IDS, or Snort Intrusion Detection System, is used to capture intrusion alerts from the network traffic captured by the honeypot. The attacks are captured based on some rulesets. The rulesets define malicious connections on the basis of information known from command-and-control (C&C) servers and blacklisted IPs.

Donaea honeypot

This honeypot captures attack-related inbound and outbound packets from network traffic as well as binaries utilized for compromising the victim.

What are some privacy and security measures for IoT?

For starters, the use of onion routing helps in encrypting and mixing internet traffic from disparate sources and encrypting data into multiple layers by employing the public keys on the transmission path. Transport Layer Security (TLS) in IoT improves the confidentiality and integrity of an IoT. In addition to them, the list below shows some efficient IoT security solutions:

  1. Robust lightweight cryptography
  2. Need for efficient key revocation techniques
  3. Time-based secure key generation and renewal 
  4. Efficient lightweight authentication
  5. Robust and lightweight schemes for privacy protection in participatory sensing
  6. Blockchain-enabled IoT
  7. Trust management
  8. IoT computational security
  9. IoT cognitive security
  10. Social awareness

Conclusion: The bottom line

With the advent of the 5G network, even more data is being gathered, stored and shared across multiple platforms and devices. Such a large amount of data is vulnerable to IoT attacks unless the appropriate security measures are taken, including robust lightweight cryptography, blockchain-enabled IoT, trust management systems and social awareness. 

In the event of an incident on an IoT network, incident responders can perform network traffic analysis to detect IoT attacks through some security techniques such as Telnet IoT honeypot, Snort IDS and Donaea honeypot.

Learn Network Traffic Analysis for Incident Response

Learn Network Traffic Analysis for Incident Response

Get hands-on experience with nine courses covering how to collect, identify, extract and analyze network traffic.



  1. Gartner Says 5.8 Billion Enterprise and Automotive IoT Endpoints Will Be in Use in 2020, Gartner
  2. OWASP Internet of Things, OWASP
  3. ISTR 2019: Internet of Things Cyber Attacks Grow More Diverse, Symantec
  4. IoT under fire: Kaspersky detects more than 100 million attacks on smart devices in H1 2019, Kaspersky
  5. The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet, CSO
  6. Detecting IoT Devices in the Internet (Extended), John Heidemann and Hang Guo 
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.