We study how ambient energy harvesting may be used as an attack vector in the battery-less Internet of Things (IoT). Battery-less IoT devices rely on ambient energy harvesting and are employed in a multitude of applications, including safety-critical ones such as biomedical implants. Due to scarce energy intakes and limited energy buffers, their executions become intermittent, alternating periods of active operation with periods of recharging energy buffers. Through an independent exploratory study and a follow-up systematic analysis, we demonstrate that by exerting limited control on ambient energy one can create situations of livelock, denial of service, and priority inversion, without physical device access. We call these situations energy attacks. Using concepts of approximate intermittent computing and machine learning, we design a technique that can detect energy attacks with 92%+ accuracy, that is, up to 37% better than the baselines, and with up to one fifth of their energy overhead. Crucially, by design, our technique does not cause any additional energy failure compared to the regular intermittent processing. We conclude with directions to inspire defense techniques and a discussion on the feasibility of energy attacks.