11 references
| # | Reference | Links | Status |
|---|---|---|---|
| 1 | Hackers Remotely Kill a Jeep on the Highway — With Me in It wired.com | Source | 🟡 No archive |
| 2 | Ring security camera hacks see homeowners subjected to racial abuse, ransom demands abcnews.go.com | Source | 🟡 No archive |
| 3 | Cybersecurity Vulnerabilities of Cardiac Implantable Electronic Devices ahajournals.org | Source | 🟡 No archive |
| 4 | Tesla BLE relay attacks: The Guardian (2016), Auto Evolution (2024), The Byte / Futurism (2024) multiple | Guardian 2016 Auto Evolution 2024 Futurism 2024 | 🟡 No archive |
| 5 | BrickerBot (Wikipedia); IoT protocols are leaking data like sieves (The Daily Swig) wikipedia.org / portswigger.net | Wikipedia Daily Swig | 🟡 No archive |
| 6 | Bitsight: 40,000+ cameras accessible without credentials (June 2025); battlefield camera hijacking (OSINT, 2026) bitsight.com / multiple OSINT sources | Bitsight | 🟡 No archive |
| 7 | Recent Cyber Attacks on Water & Wastewater Systems (Wisdiam); American Water cyberattack (CNBC, October 2024) wisdiam.com / cnbc.com | Wisdiam CNBC | 🟡 No archive |
| 8 | FBI and CISA joint advisory on Volt Typhoon (February 2024, updated January 2025) cisa.gov | Source | 🟡 No archive |
| 9 | Hackers release source code for a powerful DDoS app called Mirai techcrunch.com | Source | 🟡 No archive |
| 10 | U.S. law enforcement botnet disruptions (2025–2026): four botnets, 1–4 million devices, 30+ Tbit/s capacity multiple law enforcement advisories | DOJ | 🟡 No archive |
| 11 | Forescout: Riskiest Connected Devices 2026 — 75% new categories, routers 32 avg. vulnerabilities, OT protocol attacks +84% forescout.com | Source | 🟡 No archive |
The comprehensive IoT-adapted OSI taxonomy referenced in Chapter 18. Each layer maps to documented attack vectors and real-world case studies. Use this as a checklist when conducting security reviews — verify that your threat model covers every layer, not just the application surface.
For security professionals: This reference complements the IoT Security Scorecard, which maps its 19 assessment questions to both ETSI EN 303 645 provisions and OSI layers. Run the scorecard to identify gaps, then return here for the full attack taxonomy at each layer.
Vigilante malware exploited open Telnet ports with default credentials to permanently brick over 2 million IoT devices. Target: same attack surface as Mirai, opposite intent — destroy rather than conscript.
Wikipedia →Direct hardware access enables credential extraction via JTAG/UART debug interfaces, firmware dumping from flash chips, and side-channel attacks (power analysis, electromagnetic probing) against cryptographic implementations.
Differential power analysis (DPA) and electromagnetic side-channel attacks can extract private keys from hardware without breaking the cryptographic algorithm directly. Relevant for medical implants, payment terminals, and access control hardware.
Researchers amplified the BLE signal from an owner's phone or key fob to extend its effective range, unlocking and starting vehicles without breaking encryption. Variants persisted through multiple Tesla security updates. In 2024, attackers demonstrated credential theft via fake charging station Wi-Fi portals.
Guardian (2016) → Futurism (2024) →The Tapplock fingerprint padlock could be opened by anyone with a Bluetooth sniffer and ten minutes of patience — the device transmitted its MAC address and derived the unlock code from it. Multiple BLE-enabled smart locks shipped with unauthenticated pairing protocols or unencrypted command channels.
The Verge →On networks using MAC-based access controls, an attacker who captures a valid device's MAC address can impersonate it. Demonstrated on coffee shop and enterprise Wi-Fi networks; also relevant for BLE peripherals that use static MAC addresses.
Stack Exchange →State-sponsored malware infected over 500,000 home and small-office routers across 54 countries. Unlike typical botnets, VPNFilter could survive a reboot, intercept traffic, and was pre-positioned for destructive payload deployment — a template for the Volt Typhoon infrastructure pre-positioning campaigns that followed.
Hacker News →The Constrained Application Protocol (CoAP), designed for low-power IoT devices, was abused for DDoS amplification — a small request triggers a large response from thousands of devices, multiplying attack bandwidth. IoT protocols designed for constrained environments frequently omit authentication and rate-limiting.
Daily Swig →Tools that captured unencrypted session cookies on open Wi-Fi networks, demonstrating that session management failures allow account takeover without credential theft. Relevant for IoT devices that maintain persistent sessions with cloud services over unencrypted channels.
Oversized or malformed packets crash vulnerable network stacks. IoT devices running minimal embedded TCP/IP implementations (often unpatched) are particularly susceptible. Relevant for OT/SCADA systems running legacy protocol stacks.
Unencrypted RF communication and absent firmware authentication in implanted cardiac devices. An attacker within wireless range could, in theory, drain the battery, alter pacing commands, or deliver inappropriate shocks. ~465,000 devices required a risky in-clinic firmware update.
AHA Journals →A cellular modem sat on the same CAN bus as the vehicle's steering, braking, and transmission controls with no firewall between them. Researchers took full remote control of a moving vehicle from ten miles away. Triggered the first-ever NHTSA recall for a cybersecurity vulnerability (1.4 million vehicles).
Wired →Scanned for devices running Telnet with factory-default credentials (62 username/password pairs). Conscripted 600,000+ devices into a botnet capable of 620 Gbps DDoS attacks. Took down DNS provider Dyn, disrupting Twitter, Netflix, Reddit, and Spotify. Source code was released publicly, spawning dozens of variants.
TechCrunch →Credential stuffing attacks — trying username/password pairs from unrelated data breaches — against Ring accounts with no mandatory second factor. Attackers spoke to families through cameras installed in children's bedrooms. Root cause: a product decision to ship without mandatory 2FA to reduce onboarding friction.
ABC News →A hacker accessed a family's Nest thermostat and camera, cranking the temperature to 90°F and speaking through the camera for 24 hours. Same credential-stuffing vector as Ring. Google's response placed the security burden on users rather than the product.
Trend Micro →Hackers remotely accessed SCADA systems at Texas water treatment plants. In Muleshoe, a water storage tank overflowed for 30–45 minutes before manual control was restored. American Water — the largest US water utility, serving 14 states — disclosed unauthorized system access in October 2024.
CNBC →
Reference directory generated on 2026-04-11 by
Tangibles reference tools.
© 2026 Yoel Frischoff / TheRoad. All rights reserved. · Accessibility