The Top Internet of Things (IoT) Cybersecurity Breaches in 2024

In a world dominated by connectivity, Internet of Things (IoT) devices have become essential for both consumers and businesses. From toothbrushes to medical devices and manufacturing equipment, billions of devices are connected to the internet, offering increased efficiency and convenience.

Unfortunately, these devices also come with increased cybersecurity risks. Over the past several years, IoT devices have become a target for malicious actors, and 2024 was no exception. The year has seen several breaches, highlighting the need for robust cybersecurity measures to secure IoT devices. From personal accounts to corporate networks, the repercussions of these breaches are far-reaching.

Why are IoT Devices at Risk of Cyberattacks and Breaches?

The number of IoT devices has rapidly increased over the last several years. Data shows there were 16.6 billion IoT devices at the end of 2023, expected to grow 13% to 18.8 billion by the end of 2024.

While IoT devices have numerous benefits, they lack the same security capabilities as laptops and workstations. Additionally, the ease with which these devices can increase within networks can create an expanded attack surface. This can be especially risky if the security or IT team does not maintain an accurate inventory of all devices on the network.

In other words, the more devices connected to the internet without robust security controls in place, the more chances threat actors have to exploit those devices for unauthorized access.

Top 3 IoT Cybersecurity Breaches in 2024 

In 2024, there were several notable IoT cybersecurity breaches, including one theoretical breach that served as a warning to consumers. While IoT breaches are far from new (the infamous Mirai botnet was nearly ten years ago), these breaches impacted a range of industries, from consumer-facing to critical infrastructure, and saw threat actors compromise several different weaknesses.

Let’s dive into the top three incidents this year:

Matrix Exploits IoT Devices, Creates Global Botnet

In November 2024, a malicious actor called “Matrix” turned IoT devices into a global botnet used to carry out distributed denial-of-service (DDoS) attacks. The threat actor targeted connected devices with known vulnerabilities, deploying the Mirai botnet malware on infected machines. As the botnet grew, the threat actor began advertising their DDoS-for-hire services.

Matrix used tools to scan the IP ranges of several cloud service providers for IoT devices with known, unpatched vulnerabilities and misconfigurations. While multiple countries were targeted in the campaign, China and Japan appeared to be the primary targets, possibly due to their high concentration of IoT devices.

This attack highlights the ongoing risk of unpatched critical vulnerabilities in connected devices. Advancements in internet-scanning technology have made it easy for even unsophisticated threat actors to find and exploit vulnerable and misconfigured devices. A critical step for any security program is to create an inventory of all network-accessible devices. This foundational step provides insight into which IoT devices or systems are discoverable and identifies software or hardware vulnerabilities.

Raptor Train Botnet Compromises Over 200,000 Devices

In September 2024, security researchers uncovered a botnet compromised of small office/home office (SOHO) and IoT devices likely operated by Chinese nation-state threat actor Flax Typhoon. Active since May 2020, it has compromised over 200,000 devices globally, peaking at 60,000 active nodes in June 2023.

The botnet leveraged a three-tiered architecture, with Tier 1 being compromised IoT devices like routers, IP cameras, and NAS. Devices were compromised through a combination of known and zero-day vulnerabilities. Although the malicious implant used for infection, a custom variant of the Mirai called Nosedive, could not maintain persistence if the device was rebooted, there were more than enough vulnerable devices online for threat actors to reinfect and maintain control over the botnet.

This attack highlights the criticality of vulnerability prioritization and management in IoT devices. Both traditional IT and IoT devices should be monitored for critical vulnerabilities. Teams should prioritize reporting vulnerabilities that require immediate attention to minimize the greatest threats to the device network. Organizations with a robust digital footprint may also consider targeted network segmentation to further secure their network. Essentially, targeted segmentation divides a device network into smaller networks, limiting the exposure to potential threats and making securing IoT devices easier based on exploit vectors.

Verkada Cameras Exploited to Spread Malware

In August 2024, security researchers discovered an unpatched vulnerability in AVTECH IP cameras, commonly used in critical infrastructure, was being used to spread Mirai malware. Despite being known since 2019, the vulnerability was only assigned a CVE in 2024, and no patch was immediately available. AVTECH IP cameras are organizations in multiple critical infrastructure sectors, such as finance, healthcare, public health, and transportation.

Researchers noted that the campaign pointed to a troubling trend where threat actors target older, low-priority vulnerabilities that are likely to remain unpatched as part of their attacks. Additionally, it underscores the continued need to protect critical infrastructure as it increasingly turns to IoT devices to support the rapid digitization the sector has faced. Notably, the National Cybersecurity Strategy explicitly calls for enhanced protection of critical infrastructure, which has increasingly become the target of threat actors.

Organizations that provide critical services need immediate, real-time insights into all the devices on their network. More often than not, downtime is not an option for critical infrastructure, making it essential for security and IT teams to have in-depth insights and continuous monitoring of their entire attack surface.

Consumer Device Attacks On the Rise

Roku Breach Results in Customer Account Compromise

Streaming company Roku experienced two breaches. The first breach, in March 2024, resulted in the compromise of 15,000 user accounts, and the second breach, in April, resulted in 576,000 leaked accounts. According to Roku, the breach resulted from credential stuffing, where threat actors try username-and-password combinations that had leaked in past data breaches. Brute forcing reuse, weak passwords, and exploring human error are common methods of compromise for consumer accounts.

Ultimately, Roku proactively enabled multi-factor authentication (MFA) for all 80 million users, prompting them to apply better device protection. While Roku received criticism for failing to stop the second breach— and blaming users for their password hygiene—this incident highlights the need to secure connected devices with robust access controls.

In a consumer setting, authentication controls like MFA are a meaningful step to help protect IoT devices. In a business setting, security and IT teams should use robust access control management to limit who can access what. Ideally, access should be limited to only authorized personnel, and personnel should only have the level of access required for their jobs. Regular audits and monitoring of user accounts can help identify usual behavior.

3 Million (Theoretical) Hacked Toothbrushes

In February 2024, a Swiss publication reported that threat actors had infected 3 million internet-connected toothbrushes with malware. The story gained immediate traction, which failed to abate even after it turned out that initial reports were false and there had been no hack.

According to cybersecurity firm Fortinet, the story was merely an example of how even mundane devices could, in theory, be used as part of a cyberattack. While a large-scale hack of toothbrushes is far from likely, the report does remind consumers and businesses that every facet of our daily lives increasingly has some level of cyber risk attached.

How Asimily Helps Protect IoT Devices from Cyber Threats

Protecting IoT devices from cybersecurity threats is essential. All industries—from critical infrastructure to healthcare and even gambling—face increased security risks as they integrate more connected devices into their network.

By partnering with a security vendor with purpose-built IoT security software for monitoring and management, teams can help secure the totality of their device network. The Asimily platform is designed expressly with IoT device security in mind. Asimily’s inventory and vulnerability detection capabilities are built to monitor traffic to and from IoT equipment and proactively identify security fixes, which are often simple and quick.

In the event of a cyberattack, our platform, with its rapid response features, quickly captures packets to aid incident responders. With Asimily, teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security.

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.