There are now more Internet of Things devices on Earth than there are people. Smart cameras, routers, thermostats, baby monitors, industrial sensors, smart TVs, and IP-connected door locks outnumber their owners and, in most cases, dramatically outrun their security maintenance. The result is a vast, persistent attack surface that organized crime and nation-state actors exploit systematically.
The Botnet Problem: Mirai’s Successors
In 2016, the Mirai botnet weaponized hundreds of thousands of DVRs and IP cameras with default credentials to execute the largest DDoS attack in internet history at the time, taking down Dyn DNS and with it Twitter, Netflix, Reddit, and GitHub. Mirai’s source code was released publicly weeks later.
That code has never stopped being used. In 2025–2026, the following Mirai descendants remain active:
| Botnet | Targets | Notable Capabilities |
|---|---|---|
| Mirai Botnet V3 | Routers, DVRs | Classic credential brute-force, DDoS-for-hire |
| Moobot | Hikvision cameras, D-Link routers | CVE exploits + default credentials |
| Fodcha | ASUS routers, Razer routers | Ransom-DDoS, 10+ Gbps attacks |
| RapperBot | Linux-based IoT | SSH brute-force, persistence via cron |
| NoaBot | Linux IoT devices | SSH key injection, cryptomining payload |
| Volt Typhoon (state actor) | SOHO routers (Cisco, Netgear, Zyxel) | Persistent access, traffic relay for espionage |
Volt Typhoon, attributed to the People’s Republic of China by the FBI, CISA, and Five Eyes partners in 2024–2025, specifically targeted end-of-life SOHO (small office/home office) routers to build a covert relay network used in reconnaissance operations against US critical infrastructure. The attack used legitimate router administration tools — no malware in the traditional sense — making detection extremely difficult.
Default Credential Attacks
The most common initial access vector for IoT compromise remains embarrassingly simple: the device still uses its factory-set username and password. Shodan, the search engine for internet-connected devices, indexes millions of devices with open administrative interfaces. Credential-stuffing scripts cycle through published default credential lists in seconds.
Common defaults that remain in widespread use:
admin/adminadmin/passwordroot/rootadmin/1234- Vendor-specific defaults published in publicly available product manuals
The FTC has taken action against router manufacturers for shipping devices with universal default credentials that cannot be changed. The UK’s Product Security and Telecommunications Infrastructure (PSTI) Act, which came into force in April 2024, legally requires IoT devices sold in the UK to ship with unique per-device passwords and a defined vulnerability disclosure policy. Similar regulations are advancing in the EU under the Cyber Resilience Act.
Firmware Vulnerabilities
Many IoT devices run Linux-based firmware that is never updated after the device leaves the factory. When vulnerabilities are discovered in the underlying OS or third-party libraries they incorporate, the devices remain permanently vulnerable.
Real vulnerabilities with widespread impact:
- CVE-2023-1389 (TP-Link Archer AX21 router): Unauthenticated remote command injection via the router’s web management interface. Immediately weaponized by the Moobot and Mirai botnets within days of disclosure.
- CVE-2024-3400 (Palo Alto PAN-OS, affecting many enterprise edge devices): Command injection in the GlobalProtect feature. While not a consumer IoT device, demonstrates how perimeter devices face the same class of vulnerabilities.
- CVE-2023-20198 / CVE-2023-20273 (Cisco IOS XE): Authentication bypass and privilege escalation affecting tens of thousands of internet-facing Cisco devices.
- Netgear WNR2000 series: Multiple authentication bypass vulnerabilities; devices reached end-of-life in 2018 but continue to be found on home networks years later.
The firmware problem is compounded by abandoned devices: manufacturers stop providing security updates for products after a few years, but consumers keep using them indefinitely. A 2024 study by the Ponemon Institute found that the average IoT device on a US home network was 3.7 years beyond its manufacturer’s end-of-support date.
Smart Home Risks
Cameras and Doorbells
IP cameras represent the highest personal risk for most home users. Compromised cameras enable:
- Real-time surveillance of home interiors
- Reconnaissance for physical burglary (observing when residents leave)
- Baby monitor compromise, exposing children to audio/video access
Brands including Eufy, Wyze, and Reolink have had security disclosures ranging from unencrypted cloud storage of video thumbnails to unauthenticated access to camera feeds.
Smart Locks and Doorbells
Researchers have demonstrated Bluetooth and Z-Wave attacks against smart locks from multiple vendors. A 2024 disclosure affected a popular August smart lock model with a firmware vulnerability allowing authentication bypass over Bluetooth Low Energy.
Voice Assistants
Always-on microphone devices (Amazon Echo, Google Nest) are a persistent concern. While major vendors have not experienced confirmed mass exploits of the voice assistant itself, the devices represent high-value targets due to their constant network presence and microphone access.
How to Secure Your IoT Devices
VLAN Segmentation — The Most Impactful Defense
Place all IoT devices on a dedicated network segment (VLAN) isolated from your main computers and mobile devices. Even if a smart TV or camera is compromised, it cannot reach your laptop, NAS, or router administration interface.
Most consumer routers with DD-WRT, OpenWrt, or newer ASUS/Netgear firmware support guest network isolation — as a minimum, put all IoT devices on a guest network that cannot communicate with the main network. For more sophisticated segmentation, a firewall appliance running pfSense or OPNsense provides full VLAN control.
Firmware Updates
- Enable automatic firmware updates on every IoT device that supports it
- Check manufacturer support status for older devices — if a device no longer receives updates, consider replacing it
- Subscribe to CISA’s Known Exploited Vulnerabilities (KEV) catalog to catch alerts for devices you own
Credential Hygiene
- Change default usernames and passwords immediately on every new device
- Use a password manager to generate and store unique strong passwords for each device’s admin interface
- Disable remote management interfaces unless you specifically need them, and restrict access by IP if you do
Network Exposure Reduction
- Disable UPnP (Universal Plug and Play) on your router — it allows devices to open their own ports to the internet, often without your knowledge
- Check your router’s port forwarding rules and remove any you did not intentionally create
- Use Shodan or Censys.io to search your public IP address and see what services are visible to the internet
Additional Hardening
- Disable features you don’t use: Telnet, SSH, web management interfaces on devices that don’t need them
- Purchase IoT devices from vendors with clear support lifecycles and bug bounty programs
- Consider network monitoring tools like Firewalla or Pi-hole to observe what traffic IoT devices are generating
IoT security in 2026 is a genuine personal safety issue, not just an abstract technical problem. A compromised camera or router in your home can enable surveillance, network pivoting, and data theft. The defenses are not technically complex — network segmentation and firmware updates address the majority of risk — but they require deliberate action in an ecosystem where convenience has historically trumped security.