Your smart thermostat, IP camera, and network-attached storage device may be doing more than you know. Millions of home IoT devices have been silently recruited into botnets — vast networks of compromised machines used to launch devastating distributed denial-of-service attacks, send spam, mine cryptocurrency, or serve as launching pads into the rest of your home network. The threat is not theoretical: IoT botnets have taken down major DNS providers and disrupted internet access for millions of people.
Mirai: The Botnet That Changed Everything
In 2016, the Mirai botnet infected hundreds of thousands of IoT devices — IP cameras, DVRs, routers — by scanning the entire IPv4 address space for devices with open Telnet ports (23 and 2323) and trying a list of 62 default username/password combinations. It required no sophisticated exploits — factory credentials like admin:admin, root:root, and guest:guest were sufficient.
Once infected, Mirai devices connected to command-and-control servers and awaited DDoS orders. On October 21, 2016, the Mirai botnet launched a massive DDoS attack against Dyn, a major DNS provider. Sites including Twitter, Reddit, Netflix, GitHub, and CNN became unreachable across large portions of the United States and Europe for nearly a day.
Mirai’s source code was published shortly after the attack, spawning dozens of derivative botnets that persist to this day. Variants added exploits for router vulnerabilities (UPnP flaws, CVE-specific exploits) to supplement the default-credential scanning.
UPnP Exploitation
Universal Plug and Play (UPnP) is a protocol that allows devices on a local network to automatically configure network settings — including opening ports on the router for services they need. Many routers expose the UPnP control interface on the external WAN interface, not just the internal LAN.
Mirai variants and other malware exploit internet-facing UPnP to:
- Open ports on the router to expose internal IoT devices
- Reconfigure NAT tables to route traffic to attacker-controlled servers
- Use the router itself as a SOCKS proxy for botnet C2 communication
The CallStranger vulnerability (CVE-2020-12695) in UPnP allowed attackers to cause SSRF (Server-Side Request Forgery) attacks and data exfiltration through UPnP-enabled devices.
Mozi and Meris: Mirai’s Successors
Mozi Botnet
Active from 2019 until law enforcement disruption in 2023, Mozi was a peer-to-peer botnet using a DHT (Distributed Hash Table) protocol similar to BitTorrent for C2 communications — making it resilient to takedown since there was no central server to seize. Mozi primarily targeted:
- Netgear routers (exploiting CVE-2017-18368)
- Huawei home routers (CVE-2017-17215)
- D-Link devices (multiple CVEs)
- Generic devices via default SSH credentials
At its peak, Mozi controlled approximately 1.5 million IoT devices.
Meris Botnet
Meris (discovered 2021) represented a significant escalation — its DDoS capability reached 21.8 million requests per second in an HTTP pipelining attack against Yandex, the largest volumetric attack recorded at the time. Meris predominantly consisted of compromised MikroTik routers exploiting CVE-2018-14847 (Winbox authentication bypass) — a vulnerability for which patches had been available for years.
How IoT Devices Are Recruited
The infection process typically follows one of these paths:
| Vector | How It Works |
|---|---|
| Default credentials (Telnet/SSH) | Scanner finds open port, tries common passwords from a list |
| Unpatched CVEs | Exploit specific firmware vulnerabilities (command injection, buffer overflow) |
| UPnP abuse | Router exposes internal devices via UPnP, scanner finds and exploits them |
| Weak web interfaces | Default or guessable credentials on web-based admin panels |
| Supply chain | Pre-installed malware on counterfeit or low-cost devices |
A Shodan search for port:23 login: returns hundreds of thousands of Telnet-accessible devices at any given time — the pool of vulnerable targets is enormous.
Risks to Home Networks
DDoS Participation
The most common immediate use of infected home devices is DDoS. Your camera or router sends traffic floods to targeted servers. You may notice:
- Higher than normal bandwidth usage
- Slower internet speeds
- Router running hot or fans at high speed
- Router logs showing unusual outbound connection attempts
Lateral Movement to PCs and Servers
More concerning is when infected IoT devices serve as a pivot point into the rest of the home network. From an infected router or camera on the same network as your PC:
- Attackers can perform ARP spoofing / man-in-the-middle attacks against other devices
- Scan for open shares, NAS devices, and other accessible resources
- Attempt to authenticate to PCs using captured credentials
- Use the compromised device as a proxy for additional attack infrastructure
Privacy Risks
IP cameras with Mirai variants or similar malware can stream video to attacker infrastructure. Multiple botnet operators have been found operating live feeds from compromised home cameras.
Defenses
VLAN Segmentation for IoT
The most effective network-level defense is placing IoT devices on a separate VLAN (Virtual LAN) with a firewall rule preventing communication between the IoT VLAN and your main devices (PCs, phones, NAS).
A typical home setup using a router that supports VLANs (pfSense, OPNsense, UniFi Dream Machine):
Main LAN (192.168.1.0/24): PCs, phones, NAS
IoT VLAN (192.168.10.0/24): Smart TV, cameras, thermostats
Guest VLAN (192.168.20.0/24): Visitor devices
Firewall rules:
- IoT → Internet: Allow (for updates and cloud features)
- IoT → Main LAN: BLOCK
- Main LAN → IoT: Allow (so you can manage cameras from your PC)
- Guest → anything internal: BLOCKEven consumer routers from Netgear, Asus, and TP-Link now include guest network features that provide basic isolation — better than nothing if VLANs aren’t available.
Disable UPnP
UPnP should be disabled on your router’s WAN interface at minimum — and ideally on the LAN interface too, configuring port forwarding manually only for services you knowingly expose.
On most routers: Advanced Settings > WAN > UPnP > Disabled
Verify no UPnP port mappings exist that you didn’t create:
# On Linux with miniupnpc installed
upnpc -l # Lists active UPnP port mappingsChange Default Credentials
Every IoT device should have its default password changed before it goes online. Use a unique, strong password for each device’s admin interface. If a device doesn’t allow you to change the default password, consider that a serious security red flag.
For your router specifically:
- Change the admin password
- Disable remote management unless specifically needed
- Change the default WiFi network name (SSID) — don’t use ISP defaults that reveal your router model
Update Firmware
Most IoT devices receive little attention when it comes to firmware updates. Check manufacturer websites quarterly for camera, router, smart TV, and NAS firmware. Many modern routers (Asus, Netgear, Ubiquiti) support automatic firmware updates — enable this feature.
For devices that no longer receive updates from the manufacturer:
- Consider replacing them
- Use network-level controls (VLAN isolation, strict firewall rules) to limit their blast radius
- Consider replacing with community-supported firmware (OpenWrt for many routers)
Router Firewall Rules
Most consumer routers block unsolicited inbound connections by default (NAT provides this inherently). But verify:
- No port forwarding rules you didn’t intentionally create
- Remote management disabled (Telnet/SSH/HTTP to the router from the WAN)
- Firewall logging enabled so you can see anomalous traffic
The best home network security posture treats every IoT device as potentially compromised and designs the network so that a compromised camera can’t reach your tax documents. Network segmentation makes that a reality.