A Survey of IoT-Enabled Cyberattacks: Assessing Attack Paths to Critical Infrastructures and Services

As the deployment of Internet of Things (IoT) is experiencing an exponential growth, it is no surprise that many recent cyber attacks are IoT-enabled: the attacker initially exploits some vulnerable IoT technology as a first step toward compromising a critical system that is connected, in some way, with the IoT. For some sectors, like industry, smart grids, transportation, and medical services, the significance of such attacks is obvious, since IoT technologies are part of critical back-end systems. However, in sectors where IoT is usually at the end-user side, like smart homes, such attacks can be underestimated, since not all possible attack paths are examined. In this paper, we survey IoT-enabled cyber attacks, found in all application domains since 2010. For each sector, we emphasize on the latest, verified IoT-enabled attacks, based on known real-world incidents and published proof-of-concept attacks. We methodologically analyze representative attacks that demonstrate direct, indirect, and subliminal attack paths against critical targets. Our goal is threefold: 1) to assess IoT-enabled cyber attacks in a risk-like approach, in order to demonstrate their current threat landscape; 2) to identify hidden and subliminal IoT-enabled attack paths against critical infrastructures and services; and 3) to examine mitigation strategies for all application domains.