When Smart Turns Vulnerable: IoT Exploitation as a Growing Business Risk

Key Takeaways:

• IoT devices significantly expand organisational attack surfaces and are increasingly targeted due to weak security by design.

• Criminal exploitation of IoT is systematic and scalable, enabling botnets, credential markets, and covert network intrusion.

• Insecure IoT devices can be leveraged to disrupt operations, enable data breaches, and amplify wider cybercrime campaigns.

• Many IoT risks persist due to poor visibility, outdated firmware, and separation between IT and operational oversight.

• Effective IoT risk management requires segmentation, continuous monitoring, and treating IoT as a core enterprise risk rather than a peripheral issue.

IoT Explosion

By 2025 there was over 21 billion connected IoT devices worldwide, a figure that will only rise to an estimated 39 billion by 2030 and 50 billion by 2035. This explosive adoption underscores how deeply IoT has become embedded in modern business operations, from smart warehouses and factories to connected offices and retail systems. Companies deploy IoT to monitor equipment, automate processes, and gain real-time insights, driving efficiency and innovation across industries. In the UK alone, 76% of businesses had mid-sized IoT deployments (1,000–10,000 devices) by 2025, a leap from just 51% in 2021 – evidence that IoT has moved from experimental pilots to becoming a core part of business transformation. IoT is now a proven driver of operational efficiency, resilience, and even sustainability in enterprises.

However, this ubiquity of IoT comes with a double-edged sword. Every connected thermostat, camera, or sensor is also an internet-facing computer that can introduce new vulnerabilities. The expanded attack surface is attracting cybercriminals who seek to exploit any weak link. High-profile incidents have proven that insecure IoT devices can be a gateway for crime. It’s therefore important to examine the real-world threats arising from IoT insecurity and their business impacts, both from a global and a UK-centric point of view, as well as assessing practical steps for mitigating IoT risks and why proactive monitoring and strategic risk management are essential in an ever-more connected world.

Common Vulnerabilities in IoT Devices

IoT devices often lack the robust protections found in traditional IT systems. Criminals tend to target IoT because many devices ship with insecure defaults and are rarely monitored or updated by their owners. Some of the most common IoT security weaknesses include:

• Default or Weak Credentials:

  Many IoT products come with factory-set usernames/passwords (like “admin/admin”) that users never change. Attackers can easily guess or obtain these credentials – indeed, hardcoded and guessable passwords top the OWASP IoT vulnerabilities list. In one 2019 case, a hacker simply scanned the internet for devices on the Telnet protocol and used default logins to compile a list of over 515,000 vulnerable IoT devices (routers, cameras, etc). This “bot list” of easily accessible devices was later leaked on a forum, illustrating how default credentials provide a quick doorway for attackers.

  
  

• Unpatched Firmware and Software: IoT vendors often adopt a “ship-and-forget” approach, leaving devices running outdated firmware with known vulnerabilities. Unlike phones or PCs, IoT gadgets may not auto-update, and owners seldom apply patches. Over time, unpatched flaws accumulate. For example, a device bought in 2018 might still run the same firmware in 2025, complete with years of unpatched bugs. A UK government-backed assessment found outdated software everywhere in enterprise IoT, including one device with a 15-year-old bootloader. Such legacy code is a treasure trove of exploits for attackers. Worse, the majority of tested devices lacked secure boot protections, so an attacker with physical access could implant persistent malware at the firmware level.

  
  

• Insecure Network Services: Many IoT devices run unnecessary services or old-school protocols (Telnet, HTTP, UPnP) with little to no security. These services often listen on open ports, sometimes exposed to the internet, offering attackers a direct line in. For example, an IoT camera or DVR might host a poorly secured web interface that is trivial to hijack. In the OWASP IoT Top 10, insecure network services rank right behind weak passwords as a critical risk. These flaws let attackers exploit devices remotely, either to steal data or co-opt the device for other attacks.

  
  

• Poor Security Configuration: “Insecure by default” is unfortunately common in IoT. Manufacturers might disable security features to simplify setup, or fail to implement encryption and access controls. The result is devices that are plug-and-play on the open internet. Many enterprise IoT devices tested in 2023 had broadly similar issues, including a lack of segregation between processes and generally lax configurations. These design choices mean that if any vulnerability is found, attackers automatically get high-level access to the device, and possibly to the wider network it’s connected to.

In short, IoT devices often prioritise convenience over security. Default logins, old unpatched code, and open services make them low-hanging fruit for cybercriminals. Each vulnerable camera or sensor is a potential beachhead into a business’s infrastructure.

Real-World Examples of IoT Exploitation

The exploitation of IoT devices by criminals is no longer opportunistic or experimental. It has become systematic, scalable, and increasingly strategic, with attackers deliberately targeting IoT ecosystems to achieve operational, financial, or intelligence objectives. Three exploitation patterns dominate the current threat landscape: large-scale botnet formation, credential harvesting for criminal resale, and targeted network intrusion via IoT footholds.

IoT Botnets and Distributed Denial-of-Service (DDoS) Operations

The Mirai botnet remains the most instructive example of how insecure IoT devices can be weaponised at scale when in 2016 it hijacked hundreds of thousands of IoT devices (like IP cameras and DVRs) to launch record-shattering DDoS attacks against DNS provider Dyn. Rather than exploiting sophisticated zero-day vulnerabilities, Mirai relied primarily on automated scanning and default credential abuse to carry out the attack. Once infected, these devices were enrolled into a centrally controlled botnet capable of launching coordinated DDoS attacks.

The attack demonstrated the systemic risk posed by insecure IoT. By overwhelming a critical piece of internet infrastructure with traffic generated by compromised consumer devices, the attackers caused widespread service disruption across multiple high-profile platforms (such as Twitter, Netflix, and CNN) simultaneously. The significance of this incident lies not only in its scale, but in its asymmetric nature as low-value consumer devices were leveraged to disrupt high-value commercial services.

The attack peaked at 1.2Tbps of traffic – twice the size of any prior attack – powered by an estimated 100,000+ hacked IoT endpoints. This demonstrated the disruptive power of insecure IoT. Mirai’s source code soon spawned many variants, and IoT botnets remain a staple of cybercrime to this day. In just the first quarter of 2025, the number of DDoS attacks worldwide jumped 110% year-on-year, driven largely by IoT botnets. One incident that year saw a botnet swell from 1.3 million to 5.8 million compromised IoT devices across a few months – a scale of attack made possible only by the vast, poorly-secured IoT population. For businesses, this reinforces the reality that IoT insecurity can contribute to systemic internet instability, even if the organisation itself is not the primary target.

Credential Harvesting and the Commoditisation of IoT Access

Beyond direct attacks, insecure IoT devices are increasingly exploited as tradable assets within the cybercriminal ecosystem. Weak or default credentials allow attackers to gain persistent access to IoT devices, which can then be sold, leased, or bundled as part of broader criminal services.

A notable example emerged in 2019 when a hacker compiled a list of 515,000 IoT device credentials (Telnet logins for routers, cameras, etc) by scanning the entire internet. Using factory-default and easily guessed passwords, the hacker accessed these devices and then posted the list online. Such lists – known as “bot lists” – are a hot commodity in the criminal underground, since they provide ready access to half a million devices ripe for malware infection.

This incident highlights how widespread IoT insecurity is: hundreds of thousands of devices openly accessible via Telnet, owing to nothing more than unchanged default passwords. It also shows the marketplace nature of IoT crime as hackers trade compromised device access like commodities. In fact, dark web forums today feature sellers offering hacked IoT devices for as little as $0.50 apiece, complete with the device’s IP address and a how-to guide for obtaining a remote shell. Buying a pre-hacked smart camera or router can let an attacker instantly backdoor a network and pivot to more valuable targets. This commoditisation of IoT exploits has lowered the skill barrier for building botnets or spy networks, since anyone with a few dollars can purchase an army of owned devices. For businesses, this means that insecure IoT devices can indirectly support criminal activity far beyond their immediate environment, increasing legal, ethical, and reputational exposure.

IoT Devices as Entry Points for Targeted Network Intrusion

Not all IoT exploits are about sheer scale; some are targeted intrusions using an IoT device as the weakest link. A now-famous example is the casino aquarium hack. In 2017, hackers penetrated the network of a North American casino through an internet-connected fish tank thermometer in the lobby. The thermostat had a vulnerability that the attackers exploited to get a foothold in the casino’s network. Once inside, they searched laterally for high-value data and managed to locate the casino’s database of VIP gamblers. They then pulled this data back out through the thermostat and up to a cloud server under the attackers’ control. The inconspicuous fish-tank sensor became an unlikely conduit for a data heist. According to the security firm that investigated, the casino had numerous IoT systems, from thermostats and HVAC controls to voice assistants, and these smart devices greatly expanded the attack surface while often flying under the radar of IT security defences.

The fish tank incident underscores a critical point: IoT devices inside a corporate network can serve as hidden entry points for attackers to infiltrate and move laterally. A smart TV, smart lock, or IP camera that is trusted on the internal network may be the weakest link that lets an intruder slip past traditional firewalls. From there, they can access sensitive customer data, financial records or other crown jewels, as happened with the casino’s high-roller database. This case also brought home the reputational damage such hacks can cause – the story made headlines worldwide (often with a chuckle at the irony), embarrassing the victim organisation. For businesses, it was a wake-up call that even an innocuous smart appliance needs to be part of the security strategy.

Business Impacts of IoT Exploitation

When IoT devices are compromised, the business consequences can be far-reaching. What begins as a hacked thermostat or infected camera can swiftly translate into operational, financial, legal, and reputational damage.

Speaking operationally, IoT-centric attacks can derail business operations. For example, an attack on industrial IoT sensors or controllers might halt a production line or disrupt a logistics system. Similarly, an IoT-based DDoS (as with Mirai) can knock critical online services offline, interrupting business for hours or days. Even indirect effects are costly: if hackers pivot through a smart device to deploy ransomware on corporate servers, core IT systems could go down. The uptime and reliability that IoT promises can flip to downtime and chaos when those devices are turned against the business. Companies often cite operational downtime as one of the most immediate losses from cyber incidents, including IoT breaches.

The immediate costs of an IoT-related breach can also be huge. There’s the expense of incident response, IT recovery, and replacing compromised equipment. Downtime means lost revenue. For example, if a smart building’s systems are knocked out, a hotel might be unable to check in guests, or a factory might halt production, directly hitting the bottom line. Data breaches via IoT (like the casino hack) can incur notification costs and legal fees. In 2023, cyber incidents (across IT and IoT) cost businesses an estimated $10.5 trillion globally. While that figure spans all cyber threats, it underscores the massive scale of harm. IoT breaches increasingly contribute, whether through facilitating larger attacks or becoming entry points for costly breaches. Insurance may not fully cover these losses, especially if negligence in IoT security is a factor.

In addition to operational and financial risks, IoT-related incidents can also trigger regulatory penalties and lawsuits. If customer data or personal information is stolen via an IoT device, the business may face fines under laws like GDPR or the UK Data Protection Act for failing to safeguard that data. IoT devices in sectors like healthcare or finance may fall under specific security regulations, and a breach could indicate non-compliance with required controls. Regulators are paying more attention to IoT security; for instance, the UK’s Product Security and Telecommunications Infrastructure (PSTI) Act (2024) now mandates baseline security for consumer IoT products (no default passwords, vulnerability disclosure policies, etc). Companies that deploy IoT at scale need to ensure their vendors meet such standards or risk liability. Beyond government fines, there’s also potential legal action from customers or partners. For example, if an insecure IoT device in a factory causes a safety incident or data leak, affected parties might sue for damages.

In addition, a breach via IoT can also have reputational consequences. These incidents often attract media attention because IoT hacks make for catchy stories (“Hacked by a Fish Tank” was irresistibly reported in the casino case). The novelty factor can amplify coverage and embarrassment. Customers and investors may lose trust in a company that falls victim to an IoT-driven breach, seeing it as a failure to manage basics. In the worst case, if an IoT incident endangers public safety (e.g. a hacked connected car or smart building), the reputational fallout is even more severe. Rebuilding trust after such events is difficult and costly. For businesses championing their digital innovation, an IoT security fiasco undermines that message and can make stakeholders more cautious about further tech initiatives.

In summary, an IoT breach can hit a company on multiple fronts: operations grind to a halt, money is lost, regulators start appearing, and the brand falters. The interconnected nature of IoT means a single weak device can cascade into a large-scale crisis. Thus, managing IoT risk is now a fundamental part of enterprise risk management.

Mitigating IoT Risk: Best Practices for Businesses

Given the risks, businesses must take proactive steps to secure their IoT deployments. Effective IoT security requires a blend of technical measures and governance practices, often extending traditional IT security controls to a new class of devices. There are therefore some pertinent strategies for dealing with mitigating IoT-related threats.

The first is to do with network segmentation and zero-trust. In simple terms, the National Cyber Security Centre (NCSC) would advise that best practice would be to not flatly trust IoT devices on a main business network, but instead isolate IoT systems into separate network segments or VLANs with strict access controls. For example, any security cameras or smart thermostats should reside on a subnet that cannot directly reach sensitive corporate servers. This way, even if an IoT device is compromised, attackers can’t easily leapfrog into any main servers. Many modern routers and network solutions support creating a separate IoT network with internet access but no access to internal assets. Adopting a zero-trust mindset is critical. In practice, this means applying firewall rules, identity management, and intrusion detection for IoT segments, and preventing lateral movement from IoT to IT systems. Segmentation proved its worth in the casino fish tank case – had the thermometer been on an isolated network, the attackers wouldn’t have reached the high-roller database.

A second strategy has to do with completing a comprehensive asset inventory, as a business can’t secure what it doesn’t know exists. Sepio, a risk management platform, states that businesses should maintain an up-to-date inventory of all IoT devices connected to their enterprise networks. This inventory should track device type, location, software/firmware versions, and owner/responsible team. Because IoT devices are often deployed outside traditional IT (by facilities teams, labs, etc), establishing discovery processes is important, and businesses should periodically scan networks for unknown devices or use IoT discovery tools. This is because an accurate inventory allows businesses to identify which devices need updates or pose high risk. It also aids incident response by knowing which device might be the source of suspicious traffic. The US government now even requires federal agencies to create IoT device inventories to bolster cyber defences – businesses would be wise to follow suit as a baseline security practice.

There is also a point to made around secure configuration and access control. As alluded to before, IoT devices are left alone in a “plug-and-play” type manner. However, it is much better, upon installation of any IoT device, to harden it. The NCSC advise anyone to change default passwords immediately, and use strong, unique credentials or integrate the devices into any enterprise authentication (where feasible). It would benefit businesses to know that many devices support only HTTP or other insecure protocols, and so whenever possible, devices should switch to encrypted alternatives (HTTPS, SSH) or be put behind a VPN to shield traffic. If the IoT device supports multi-factor authentication or client certificates, these should also be used. It is also worth considering physical security for IoT to prevent unauthorised access or tampering, since many IoT devices (e.g. smart controllers) might be located in public or unguarded spaces. Essentially, IoT devices should be treated as untrusted endpoints by minimising their privileges, turning off default “plug-and-play” openness, and locking them down as much as their firmware allows.

Standard cyber hygiene also pushes hard on regular patching and updates. Developing a plan (and budget) for firmware updates on IoT gear is therefore of paramount importance. This is easier said than done as IoT devices may not auto-update, and some vendors are slow to issue patches – but the point remains to try to keep devices current. Applying available security patches promptly, especially for critical vulnerabilities, is a must, and if a device cannot be updated and has known flaws, businesses should consider phasing it out or isolating it at a minimum. The importance of patching was underscored by findings that outdated software was rampant in IoT, with one enterprise device running firmware over 15 years old. If manual updating is impractical for a large fleet of devices, then looking into IoT device management platforms that can push updates, or at least monitor firmware versions, is recommended for businesses. It is also often forgotten that any cloud services or mobile apps tied to the IoT device must be kept updated, as those can be avenues of compromise (the OWASP IoT Top 10 highlights ecosystem and cloud interface vulnerabilities as well).

A final consideration with IoT cyber hygiene is to do with monitoring and anomaly detection. Businesses should look to incorporate IoT devices into their security monitoring and incident response processes and ensure that network monitoring covers IoT segments – unusual outbound traffic, strange DNS queries from an IP camera, or a normally quiet sensor suddenly communicating with an unfamiliar server could all indicate compromise. Specialised IoT security solutions can baseline normal device behaviour and alert on anomalies (e.g. a smart thermostat should not be initiating large data transfers). Even without fancy tools, businesses should set up logging if possible as some devices can send logs to a Security Information and Event Management (SIEM). In essence, situational awareness of IoT devices should be present at all times. Furthermore, when an incident does occur, it is necessary to have a response playbook that includes IoT (e.g. how to quarantine a compromised device, how to do a factory reset, etc) as speedy response can mean the difference between a minor contained issue and a full-blown breach.

Implementing these measures will significantly strengthen an organisation’s IoT security posture. While no device can be made 100% hack-proof, a combination of segmentation, hardening, vigilant patching, and monitoring can thwart the vast majority of opportunistic attacks and limit the damage from any successful exploit. Equally important is cultivating a mindset that IoT risk is manageable with the right strategies – neither panic nor complacency, but steady, proactive defence.

Navigating Future IoT Threats and Strengthening Resilience

The Internet of Things will only continue to grow in scale and influence, and with it, the threat landscape will evolve. Looking ahead, several trends stand out.

Firstly, attackers are honing their IoT techniques, from AI-driven malware that can automatically find and exploit IoT weaknesses to more sophisticated multi-stage attacks that use IoT devices as stepping stones. We’re seeing an arms race where botnets like Mirai are periodically eclipsed by even larger swarms, and the time from vulnerability disclosure to active exploitation is shrinking. This means organisations must be quicker and smarter in patching and protecting devices, as criminals won’t sit still.

Secondly, regulatory and industry initiatives are ramping up. Governments in the UK, EU, US, and beyond have recognised IoT security as a national security and consumer safety issue. The UK’s PSTI Act and California’s IoT law are early examples forcing manufacturers to uplift security. The EU’s forthcoming Cyber Resilience Act will likely extend security-by-design requirements to a broader range of connected products. We can expect new standards, certification schemes (e.g. IoT security labels), and possibly liability for manufacturers of insecure IoT. For businesses, this is a welcome development as over time, the baseline quality of IoT products should improve. But regulation alone isn’t a panacea, and companies must still perform due diligence and not assume every smart device is safe out of the box.

Thirdly, the convergence of IoT with critical infrastructure and AI raises the stakes. As more operational technology (OT) and industrial systems get IoT sensors and remote controls, the potential impact of IoT attacks extends to physical processes such as smart grids, connected cars, and even medical devices. A breach in those contexts could threaten public safety, not just data. Moreover, the rise of cloud-connected AI decision systems means that trust is centralised: if attackers corrupt the data feeding an AI (via compromised IoT sensors) they might influence decisions at scale. We are moving toward highly interconnected ecosystems where the security of individual “things” merges into the security of an entire automated network. As one researcher observed, the challenge now is securing the whole infrastructure of trust and data that underpins our smart world, not just individual gadgets.

In this future, businesses need to embrace a strategic, continuous approach to IoT risk management. That includes embedding IoT in cyber resilience planning (from architecture design to incident drills) and cultivating threat intelligence capabilities focused on IoT/OT threats. Leading organisations are already expanding their security operations to cover IoT – for example, by integrating device telemetry into SOC monitoring and by conducting regular audits of IoT device security. Proactive monitoring and situational awareness are key: firms should know if there’s a surge in IoT-targeted attacks in their industry or new vulnerabilities affecting their camera models and take action before an incident hits. Collaboration between IT security teams and operational teams (facilities, manufacturing, etc) is also crucial so that IoT issues are not overlooked.

Ultimately, maintaining trust in the IoT-driven business ecosystem will be a collective effort. The good news is that awareness of IoT risks is higher than ever, and solutions – from technical safeguards to policy frameworks – are emerging to address these challenges. By staying informed about trends, investing in robust protections, and fostering a culture of security around connected devices, businesses can reap the benefits of IoT innovation without inviting the wrath of the hackers. The Internet of Things can be a powerful ally for efficiency and insight, provided we manage its risks with eyes open. In the end, achieving global situational awareness in cybersecurity will increasingly mean keeping a close watch on all our “things” as they become an inseparable part of the fabric of business operations worldwide.