The Internet of Things Is Under Siege by Massive Cyberattacks

The Attackers Are Already Inside Your Lightbulb

On a normal Tuesday afternoon, a smart thermostat in an office building somewhere in North America does something strange. It sends a burst of data to a coffee machine on the same floor. The coffee machine, which has no business talking to a thermostat, forwards that data to a security camera in the parking garage. The camera passes it to a smart lock on the front door. Within seconds, 105 devices across the building are coordinating in a pattern no human intended and no human can stop.

This is not a hypothetical scenario from a cybersecurity thriller. This is the reality that Euclides Carlos Pinto Neto, Sajjad Dadkhah, and their colleagues at the Canadian Institute for Cybersecurity built and measured in a lab. Their 2023 paper, published in Sensors, documents something that should unsettle anyone who has connected a device to the internet: a dataset of 33 different attacks executed across a network of 105 real IoT devices (Pinto Neto et al., 2023). Not simulated devices. Not virtual machines. Real smart plugs, real cameras, real thermostats, all attacking each other.

The authors found that the problem is not just that IoT devices are vulnerable. The problem is that they are vulnerable in ways that compound. A single compromised lightbulb can become a beachhead for attacks that cascade through an entire network. And the attacks are not theoretical. The dataset includes seven categories of attacks: DDoS, DoS, reconnaissance, web based, brute force, spoofing, and Mirai (Pinto Neto et al., 2023). Mirai is the botnet that took down large portions of the internet in 2016. It started in a camera.

Why Your Smart Speaker Is a Security Nightmare

The 105 Device Experiment

The researchers built something unusual. Instead of testing attacks against a handful of devices in a sterile lab environment, they assembled a physical IoT topology with 105 real devices. These were not exotic or expensive gadgets. They were the kinds of devices people buy on Amazon and plug into their home networks without a second thought: smart plugs, smart bulbs, motion sensors, smart locks, webcams, routers, and hubs.

Every device was assigned a static IP address. The network was segmented into three subnets, mimicking a realistic home or small office environment. Then the researchers connected a separate set of malicious IoT devices to the same network. These attacker devices were also real IoT hardware, not laptops running hacking tools. The attackers were things like compromised smart plugs and cameras that had been reprogrammed to attack other devices.

This matters because most IoT security research uses simulated attacks or attacks launched from traditional computers. The authors wanted to know what happens when the attackers are themselves IoT devices, with all the constraints and quirks that implies (Pinto Neto et al., 2023). Limited processing power. Unreliable connections. Strange timing patterns. The results are messier and more realistic than anything in a simulation.

The Attack Catalog

The researchers executed 33 distinct attacks across seven categories. Here is what they found:

• ▸DDoS and DoS attacks: These overwhelmed target devices with traffic. The authors found that even low bandwidth attacks from IoT devices could knock out other IoT devices. A $20 smart plug can bring down a $500 security system.
• ▸Reconnaissance attacks: Attackers scanned the network to map out which devices were alive, what ports were open, and what services were running. This is the equivalent of a burglar casing a house.
• ▸Web based attacks: The researchers exploited common web vulnerabilities like SQL injection and cross site scripting. Many IoT devices run stripped down web servers with no security updates.
• ▸Brute force attacks: The attackers tried default credentials. The success rate was high. Many IoT devices ship with passwords like "admin" and "1234" and users never change them.
• ▸Spoofing attacks: Attackers impersonated legitimate devices to gain access to restricted parts of the network.
• ▸Mirai attacks: The researchers recreated the Mirai botnet behavior, where infected devices scan for other vulnerable devices and recruit them into the botnet.

The dataset generated by this experiment is now publicly available through the CIC Dataset website. It contains over 46 million network flows, each labeled with the specific attack type (Pinto Neto et al., 2023). This is a massive resource for researchers building intrusion detection systems.

The Real Problem: IoT Devices Cannot Defend Themselves

The Hardware Trap

Here is the uncomfortable truth that Pinto Neto et al. (2023) document implicitly through their methodology: IoT devices are designed to be cheap, not secure. A smart plug that sells for $15 cannot afford a dedicated security chip. It cannot run a full operating system with memory protection. It often runs a stripped down Linux kernel with no security patches, or worse, a proprietary real time operating system that has never been audited.

The authors chose to use real devices precisely because simulated devices do not capture these constraints. A simulated IoT device in a virtual environment might have perfect network behavior. A real device drops packets, reboots unexpectedly, and responds to attacks in ways that are hard to predict (Pinto Neto et al., 2023). This unpredictability is what attackers exploit.

The Network Effect

The scariest finding in the paper is not any single attack. It is the compounding effect of multiple attacks across a network of many devices. The authors executed attacks sequentially and simultaneously. When multiple devices were under attack at the same time, the network behavior became chaotic. Legitimate traffic got mixed with attack traffic. Intrusion detection systems that worked well against single attacks failed against coordinated multi vector attacks (Pinto Neto et al., 2023).

Consider what this means in practice. A smart home with 30 devices is not 30 times more vulnerable than a home with one device. It is exponentially more vulnerable, because each device can attack the others. A compromised camera can brute force the password on a smart lock. A compromised smart lock can open the front door. A compromised thermostat can send false temperature readings to the HVAC system, causing it to run continuously and waste energy.

Why Existing Defenses Fail

The Dataset Gap Problem

Before this paper, most IoT attack datasets had serious limitations. Some only included a handful of attack types. Others used simulated devices. Many did not include attacks launched from IoT devices themselves (Pinto Neto et al., 2023). This created a blind spot. Machine learning models trained on these incomplete datasets performed well in academic papers but failed in real deployments.

The authors explicitly designed their dataset to close this gap. By including 33 attacks across 7 categories, executed from real IoT devices against other real IoT devices, they created a benchmark that more accurately reflects the threat landscape (Pinto Neto et al., 2023). The dataset is meant to train intrusion detection systems that can recognize attacks as they happen, in real time, on resource constrained devices.

The Detection Challenge

Detecting an attack on an IoT network is fundamentally different from detecting an attack on a traditional IT network. In a data center, servers generate predictable traffic patterns. An anomaly is easy to spot. In an IoT network, a smart bulb might send a status update every 30 seconds, but a security camera might stream video continuously. A smart lock might only send data when someone unlocks the door. The traffic patterns are diverse and irregular.

The authors found that many existing intrusion detection systems generate too many false positives in IoT environments. A sudden burst of traffic from a thermostat might be an attack, or it might just be the thermostat reporting temperature changes after someone opened a window. Distinguishing between the two requires understanding both the device's normal behavior and the attack's signature (Pinto Neto et al., 2023). The dataset provides labeled examples of both.

What the Research Does Not Prove

This paper is a snapshot, not a prophecy. The authors tested 33 attacks on 105 devices in a controlled lab environment. They did not test every possible attack. They did not test every possible device. They did not test how these attacks would behave on a network with thousands of devices or on a network with active defenses.

The dataset is also static. It captures network traffic at a specific point in time. Attackers adapt. New vulnerabilities emerge. A dataset from 2023 may not capture the attacks that will be common in 2025. The authors acknowledge this and encourage researchers to use their methodology to generate updated datasets (Pinto Neto et al., 2023).

There is also an open question about how well intrusion detection systems trained on this dataset will generalize. A model trained on traffic from these specific 105 devices might fail when deployed on a network with different devices. The authors do not claim to have solved this problem. They have provided a foundation, not a finished building.

The Mirai Ghost

The inclusion of Mirai attacks in the dataset is a reminder that the IoT security problem is not new, but it is getting worse. The original Mirai botnet, which surfaced in 2016, infected hundreds of thousands of IoT devices and used them to launch some of the largest DDoS attacks ever recorded. The code was released publicly, and variants have been appearing ever since.

Pinto Neto et al. (2023) recreated Mirai behavior in their lab and found that it spread rapidly through their test network. The infection vector is simple: scan for devices with open Telnet ports, try default credentials, and if successful, download and execute the malware. The authors observed that once a single device was infected, the botnet spread to other devices within minutes (Pinto Neto et al., 2023). The only reason it did not infect all 105 devices was that the researchers stopped the experiment.

This is the reality of the Internet of Things. Every device that connects to the internet becomes a potential soldier in someone else's army. The device does not know it has been recruited. The owner does not know it has been recruited. The only sign might be a slightly higher electricity bill from the extra processing load, or a slower home network from all the attack traffic.

What This Actually Means

• ▸Assume every IoT device is compromised. The default state of an IoT device should be untrusted. Network segmentation is not optional. Put IoT devices on a separate VLAN that cannot communicate with your computers or phones. If a smart plug cannot reach your laptop, it cannot attack your laptop.

• ▸Change default credentials immediately. The authors found that brute force attacks against default credentials had high success rates (Pinto Neto et al., 2023). This is the easiest fix. Do it the moment you unbox the device. If the device does not allow you to change the password, do not buy it.

• ▸Disable unnecessary services. Many IoT devices run services like Telnet, SSH, and web servers that are not needed for normal operation. The authors observed that Mirai spreads by scanning for open Telnet ports (Pinto Neto et al., 2023). If you do not need remote administration, turn it off.

• ▸Monitor for unusual traffic patterns. The dataset shows that different attacks produce different network signatures (Pinto Neto et al., 2023). A device that suddenly starts sending data to many other devices is likely compromised. A device that starts scanning random IP addresses is almost certainly compromised.

• ▸Do not trust the manufacturer. The authors chose to test real devices because simulated devices do not capture real vulnerabilities (Pinto Neto et al., 2023). The device you bought last week may already have known vulnerabilities that the manufacturer will never patch. Treat it accordingly.

The Internet of Things is not a network of smart devices. It is a network of dumb devices pretending to be smart, each one a potential weapon pointed at everything else. The dataset from Pinto Neto et al. (2023) is a map of the battlefield. It is up to the rest of us to decide whether we want to fight or to surrender.