IoT botnet attacks on the rise: practical tips for minimising risk

10. August, 2022

IoT botnets are gaining momentum, driven by external factors. Nozomi Networks Labs’ latest OT/IoT Security Report cites the surge in IoT botnets as one of three key developments in the first half of 2022. Together with impacts from the Ukraine war and the rise of wiper malware designed to destroy data and systems, they dominate the current threat landscape. [1]

What makes IoT systems attractive for attackers

It is becoming increasingly interesting for cybercriminals to specialise purely in IoT systems. Cameras, sensors or control and monitoring systems are often installed in large numbers and then not given any further attention. Thus, IoT systems usually have little protection, while they are online 24 hours a day and typically have a very good internet connection.

IoT systems often base on a stripped-down Linux operating system that offers little scope for security functions. Combined with cheap off-the-shelf components from additional suppliers and possible cost and implementation pressure from the manufacturer, simple security problems can thus spread by the millions.

Why there are more and more IoT botnets

Practice shows a lack of security-by-design and quality control of implementations, standard passwords in real operation and even keys written in the programme code. One current example: A GPS tracker component that is used a million times can be hijacked via a standard password and enables attackers to switch off the engine locally in a vehicle. [2] Incidentally, “admin” and “root” are among the most frequently used user information to gain access to foreign systems.

Microsoft has also investigated the functioning of the IoT botnet “Trickbot” in more detail and summarised findings about the attack vectors and general functioning. [3] Just like Nozomi, Microsoft observed a targeted search for typical infrastructure components used millions of times with factory settings or simply bad and frequently used passwords. Once identified, attackers take these components over in order to abuse them for their own communication purposes. Weak authentication and access control are the preferred and currently also the easiest point of attack on IoT systems.

How to prevent IoT botnets

The good news: You can secure the most common points of attack with a few simple measures that build on each other. This way, you noticeably reduce the security risk even in already deployed devices and IoT systems.

  • Password policy: Immediately change all default passwords on all systems without exception to secure combinations. Delete pre-set manufacturer accounts and check existing users to no longer allow backdoors.
  • Account-Policy: Use only unique user credentials and do not use the same accounts on different devices. Individual login data per user via exclusively encrypted connections is optimal.
  • Authentication: Use a central authentication facility (AAA server) and monitor all login attempts as well as new user creation. These analyses can provide indications of malware activities.
  • Automation: Especially if you have several IoT systems in operation, it is worth automating the inventory and monitoring of your IT/OT systems. This way you can detect vulnerabilities, threats and anomalies as quickly as possible.

CONCLUSION: As security solutions for traditional computers continue to evolve and improve, cyber criminals are looking for alternative ways to penetrate target networks. Attack attempts on routers, cameras and other IoT devices are therefore not new.

Since these IoT devices and networks are often not actively managed and monitored, they are usually the weakest link in the entire IT system. Both companies and home users should definitely consider IoT devices in their security policies and change all default passwords immediately as a first step.

For companies with extensive IoT landscapes, professional solutions for monitoring, protection and risk minimisation are available from the field of industrial cyber security.

Product recommendation:

Nozomi Guardian powered by IKARUS

Reading recommendation:

Honeypots: Researchers analyse attacks on IoT systems
Loophole into the home network: tips to better secure Smart Home devices


Schritt für Schritt zum Notfallplan für IT-Security-Incidents
Account Management
Indicators of Attack
Gefahren durch vertrauenswürdige Services
Threat Intelligence
SQL Injection
SMTP Smuggling
Cyber-Risiken in der Ferienzeit
Dynamische Cybersicherheit
Harmony Mobile by Check Point
EU Machinery Regulation
Sergejs Harlamovs, Malware-Analyst bei IKARUS

Plugin IdaClu accelerates malware analysis

IdaClu: IKARUS malware analyst Sergejs Harlamovs wins Hex-Rays plugin contest


IKARUS Security Software GmbH Blechturmgasse 11
1050 Vienna

Phone: +43 1 58995-0
Sales Hotline:
+43 1 58995-500


Support hotline:
+43 1 58995-400

Support hours:
Mon – Thu: 8am – 5pm
Fri: 8am – 3pm
24/7 support by arrangement

Remote maintenance software:
AnyDesk Download