What Is IoT Security? Vulnerabilities, Botnets, and Protecting Connected Devices

What Is IoT and Why Does Security Matter?

The Internet of Things (IoT) refers to the vast and rapidly growing ecosystem of physical devices — beyond traditional computers and smartphones — that are connected to the internet and can collect, transmit, and receive data. This includes consumer devices (smart TVs, home routers, IP cameras, smart speakers, thermostats, baby monitors), industrial equipment (SCADA systems, industrial control systems, factory sensors), healthcare devices (connected insulin pumps, pacemakers, hospital monitoring equipment), smart infrastructure (traffic sensors, utility meters, building management systems), and transportation (connected vehicles, fleet tracking systems).

IoT deployments have grown to an estimated 16 billion active devices as of 2024, and forecasts project continued rapid growth. Each connected device represents a potential entry point into a network. The security challenges of IoT are distinct from traditional IT security: devices often have minimal processing power and memory (making security software impractical), run embedded firmware rather than general-purpose operating systems, have long operational lifetimes that outlast vendor support cycles, are frequently deployed in difficult-to-access physical locations, and are managed by users who may have no technical security knowledge.

The IoT Attack Surface

IoT devices present an unusually large and poorly defended attack surface. The most pervasive vulnerabilities include:

• Default credentials: Many IoT devices ship with well-known default username/password combinations (admin/admin, admin/password, root/root) that users never change. Attackers maintain databases of these defaults and can compromise devices within minutes of them being connected to the internet.
• Unpatched firmware: Manufacturers frequently fail to provide timely security updates for IoT devices, and users often do not apply updates even when available. Many consumer IoT devices receive no security patches at all after sale. Vulnerabilities in device firmware can persist for years after they are publicly known.
• Insecure communication: Many IoT devices transmit data without encryption, allowing eavesdropping. Some use outdated or cryptographically weak protocols. Devices that communicate with cloud services may use poor certificate validation, making them vulnerable to man-in-the-middle attacks.
• Exposed services: IoT devices often run unnecessary network services — Telnet, FTP, web servers with debugging interfaces — that expose additional attack surface. Many devices have undocumented backdoor accounts left by manufacturers for debugging purposes.
• Physical access vulnerabilities: Devices deployed in publicly accessible locations may be vulnerable to physical attacks — such as reading firmware from debug ports (JTAG, UART) or extracting credentials from device storage.

The Mirai Botnet: A Turning Point

The Mirai botnet, which emerged in August 2016, became one of the most consequential cybersecurity events in IoT history. Created by three college students, Mirai was a worm that propagated by scanning the internet for IoT devices (particularly IP cameras and DVRs) with open Telnet ports and attempting to log in using a list of 61 factory-default credential pairs. Devices that succumbed became part of the Mirai botnet, awaiting commands from the operators' command-and-control infrastructure.

At its peak, Mirai comprised approximately 600,000 compromised devices. On September 20, 2016, it launched a record-breaking DDoS attack against the blog of cybersecurity journalist Brian Krebs, peaking at 620 Gbps. On October 21, 2016, Mirai was directed against Dyn, a major DNS provider whose infrastructure underpins much of the internet. The attack disrupted access to Twitter, Netflix, Reddit, Airbnb, CNN, and hundreds of other major services for much of the eastern United States for hours — demonstrating that insecure IoT devices could be weaponized to cause widespread internet disruption.

After Mirai's source code was released publicly in October 2016, dozens of variants appeared, incorporating additional exploits, targeting a wider range of device types, and adding capabilities beyond DDoS. Mirai variants remain active today, and IoT botnets have grown to include sophisticated capabilities including cryptomining and ransomware delivery.

Network Segmentation for IoT

Network segmentation is one of the most effective IoT security controls available to both enterprises and home users. The principle is simple: IoT devices should not reside on the same network segment as computers containing sensitive data or critical enterprise systems. If an IoT device is compromised, network segmentation limits the attacker's ability to move laterally to higher-value targets.

In enterprise environments, this means placing IoT devices in dedicated VLANs with firewall rules that permit only the specific traffic the devices need to function — for example, a security camera that streams to a specific video management server should only be permitted to communicate with that server, not with the broader corporate network or internet at large. IoT management systems and monitoring should be on separate, dedicated networks.

Home users can implement basic segmentation using consumer routers that support a guest network feature — placing IoT devices on the guest network (which is isolated from the main LAN) while keeping computers, phones, and NAS devices on the primary network. More capable home routers (including those running OpenWrt or pfSense) support full VLAN-based segmentation.

Secure Boot and Firmware Security

Secure boot is a hardware-level security mechanism that verifies the cryptographic signature of each stage of the boot process — from the bootloader through the operating system kernel and firmware — before allowing it to execute. This prevents attackers who have gained physical access to a device from loading modified firmware or alternative operating systems that bypass security controls. Secure boot is now a requirement in many enterprise IoT procurement standards and is increasingly required for connected medical devices by the FDA.

Beyond secure boot, firmware security best practices include: signing firmware updates and verifying signatures before installation (preventing attackers from flashing malicious firmware); encrypting sensitive data stored in device flash memory; disabling unnecessary debug interfaces (JTAG, UART) in production firmware; using memory-safe languages or mitigations (stack canaries, ASLR) to reduce exploit impact; and performing regular security assessments of firmware through static analysis and dynamic testing.

Regulatory Frameworks and Industry Standards

Governments are increasingly regulating IoT security. The UK's Product Security and Telecommunications Infrastructure (PSTI) Act (effective 2024) prohibits the sale of consumer IoT products with default or easily guessable passwords, requires manufacturers to publish vulnerability disclosure policies, and mandates disclosure of the minimum period for which security updates will be provided. The U.S. IoT Cybersecurity Improvement Act of 2020 requires IoT devices purchased by the federal government to meet NIST security guidelines. The EU's Cyber Resilience Act (2024) extends mandatory security requirements to all IoT products sold in the European market.

Industry standards such as NIST's Considerations for Managing IoT Cybersecurity and Privacy Risks (SP 800-213) and ETSI's EN 303 645 (a European consumer IoT security baseline) provide frameworks for device manufacturers and deployers. The ioXt Alliance certifies consumer IoT products against defined security baseline requirements. These frameworks share common themes: ban default passwords, require timely security updates, minimize attack surface, and provide mechanisms for users and researchers to report vulnerabilities.