IoT Security: From Password Fails to Global Risk - Is Anyone Winning?

Fast Facts

• IoT devices are often shipped with default passwords like "admin admin," and many users never change them.
• Attacks have evolved from simple botnets to using IoT as launchpads for ransomware and espionage.
• New laws in California, the UK, and the EU aim to ban default passwords and require better security disclosures.
• Many IoT devices cannot be easily updated or patched, increasing long-term risks.
• Security improvements lag behind the explosive growth and complexity of the IoT market.

The IoT Explosion: Convenience Meets Chaos

Imagine your home as a castle, but every smart bulb, fridge, or doorbell is a window - some left wide open. Over the past five years, the Internet of Things (IoT) has woven itself into daily life, from baby monitors to power grids. But as the number of devices skyrockets, so too do the risks, according to Dark Reading and expert interviews with Tod Beardsley of runZero and Beau Woods of I Am the Cavalry. The central problem: security simply hasn't kept up with innovation.

Default Passwords: The Doorway for Attackers

Many IoT devices are still shipped with generic passwords - like "admin admin" - that users rarely change, making them easy targets. The landmark Mirai botnet attack in 2016, which hijacked thousands of such devices to disrupt giants like Netflix and Twitter, was a wake-up call. Since then, some regions have pushed back: California’s 2018 law required unique device passwords, while the UK’s Product Security and Telecoms Infrastructure Act (2024) and the EU’s Cyber Resilience Act have introduced similar rules. But as Chris Wysopal of Veracode tells Dark Reading, “the improvements are noticeable, but patchy.”

Offense Outpaces Defense

According to Beardsley, most progress in IoT security has come from researchers and hackers probing devices at events like DEF CON, not from manufacturers or regulators. Penetration testing - where experts simulate attacks to find weaknesses - now routinely includes IoT, but real-world defenses remain static. Manufacturers hesitate to beef up security, fearing it might scare off buyers or complicate user experience.

The New Face of IoT Attacks

Today's attackers are more sophisticated. Instead of just building botnets, they use vulnerable IoT devices as entry points for ransomware, espionage, or deeper network hacks. The infamous exploitation of end-of-life SOHO routers by suspected Chinese nation-state actors shows how neglected devices can become silent spies or saboteurs. As Wysopal notes, IoT vulnerabilities now resemble those in regular computers - but with higher stakes, since IoT gadgets are often "set and forget."

Policy, Competition, and the Road Ahead

Experts like Beau Woods warn that while some companies are improving, the flood of new entrants - especially startups - means lessons aren’t always learned. Many manufacturers worry that investing in security will put them at a disadvantage unless buyers demand it. Until governments enforce stricter rules or customers make security a deal-breaker, the pattern is likely to persist. The hope is that new legislation and rising awareness will nudge the market toward better practices before the next major breach.

Conclusion: A Connected World at a Crossroads

The past five years have shown that the more we connect, the more we expose. While some progress has been made, the IoT landscape remains a patchwork of vulnerable devices, ambitious legislation, and savvy attackers. Unless manufacturers, regulators, and consumers unite on security, the risks will only compound - turning the promise of a smarter world into a playground for cybercriminals.

WIKICROOK

• IoT (Internet of Things): IoT (Internet of Things) are everyday devices, like smart appliances or sensors, connected to the internet - often making them targets for cyberattacks.
• Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
• Default Password: A default password is a preset, often simple password on devices or accounts that users are expected to change but often leave unchanged, posing security risks.
• Patch: A patch is a software update released to fix security vulnerabilities or bugs in programs, helping protect devices from cyber threats and improve stability.
• Penetration Test: A penetration test is a simulated cyberattack by experts to uncover and fix security weaknesses before real attackers can exploit them.