By 2025 there was over 21 billion connected IoT devices worldwide, a figure that will only rise to an estimated 39 billion by 2030 and 50 billion by 2035, says Sam Cockbain in a blog for Global Situational Awareness. This explosive adoption underscores how deeply IoT has become embedded in modern business operations, from smart warehouses and factories to connected offices and retail systems.

Companies deploy IoT to monitor equipment, automate processes, and gain real-time insights, driving efficiency and innovation across industries. In the UK alone, 76% of businesses had mid-sized IoT deployments (1,000–10,000 devices) by 2025, a leap from just 51% in 2021 – evidence that IoT has moved from experimental pilots to becoming a core part of business transformation. IoT is now a proven driver of operational efficiency, resilience, and even sustainability in enterprises.

However, this ubiquity of IoT comes with a double-edged sword. Every connected thermostat, camera, or sensor is also an internet-facing computer that can introduce new vulnerabilities. The expanded attack surface is attracting cybercriminals who seek to exploit any weak link. High-profile incidents have proven that insecure IoT devices can be a gateway for crime. It’s therefore important to examine the real-world threats arising from IoT insecurity and their business impacts, both from a global and a UK-centric point of view, as well as assessing practical steps for mitigating IoT risks and why proactive monitoring and strategic risk management are essential in an ever-more connected world.

Common Vulnerabilities in IoT Devices

IoT devices often lack the robust protections found in traditional IT systems. Criminals tend to target IoT because many devices ship with insecure defaults and are rarely monitored or updated by their owners. Some of the most common IoT security weaknesses include:

Default or Weak Credentials:

Many IoT products come with factory-set usernames/passwords (like “admin/admin”) that users never change. Attackers can easily guess or obtain these credentials – indeed, hardcoded and guessable passwords top the OWASP IoT vulnerabilities list. In one 2019 case, a hacker simply scanned the internet for devices on the Telnet protocol and used default logins to compile a list of over 515,000 vulnerable IoT devices (routers, cameras, etc). This “bot list” of easily accessible devices was later leaked on a forum, illustrating how default credentials provide a quick doorway for attackers.

Unpatched Firmware and Software: IoT vendors often adopt a “ship-and-forget” approach, leaving devices running outdated firmware with known vulnerabilities. Unlike phones or PCs, IoT gadgets may not auto-update, and owners seldom apply patches. Over time, unpatched flaws accumulate. For example, a device bought in 2018 might still run the same firmware in 2025, complete with years of unpatched bugs. A UK government-backed assessment found outdated software everywhere in enterprise IoT, including one device with a 15-year-old bootloader. Such legacy code is a treasure trove of exploits for attackers. Worse, the majority of tested devices lacked secure boot protections, so an attacker with physical access could implant persistent malware at the firmware level.

Insecure Network Services: Many IoT devices run unnecessary services or old-school protocols (Telnet, HTTP, UPnP) with little to no security. These services often listen on open ports, sometimes exposed to the internet, offering attackers a direct line in. For example, an IoT camera or DVR might host a poorly secured web interface that is trivial to hijack. In the OWASP IoT Top 10, insecure network services rank right behind weak passwords as a critical risk. These flaws let attackers exploit devices remotely, either to steal data or co-opt the device for other attacks.

Poor Security Configuration: “Insecure by default” is unfortunately common in IoT. Manufacturers might disable security features to simplify setup, or fail to implement encryption and access controls. The result is devices that are plug-and-play on the open internet. Many enterprise IoT devices tested in 2023 had broadly similar issues, including a lack of segregation between processes and generally lax configurations. These design choices mean that if any vulnerability is found, attackers automatically get high-level access to the device, and possibly to the wider network it’s connected to.

In short, IoT devices often prioritise convenience over security. Default logins, old unpatched code, and open services make them low-hanging fruit for cybercriminals. Each vulnerable camera or sensor is a potential beachhead into a business’s infrastructure.

Real-World Examples of IoT Exploitation

The exploitation of IoT devices by criminals is no longer opportunistic or experimental. It has become systematic, scalable, and increasingly strategic, with attackers deliberately targeting IoT ecosystems to achieve operational, financial, or intelligence objectives. Three exploitation patterns dominate the current threat landscape: large-scale botnet formation, credential harvesting for criminal resale, and targeted network intrusion via IoT footholds.

IoT Botnets and Distributed Denial-of-Service (DDoS) Operations

The Mirai botnet remains the most instructive example of how insecure IoT devices can be weaponised at scale when in 2016 it hijacked hundreds of thousands of IoT devices (like IP cameras and DVRs) to launch record-shattering DDoS attacks against DNS provider Dyn. Rather than exploiting sophisticated zero-day vulnerabilities, Mirai relied primarily on automated scanning and default credential abuse to carry out the attack. Once infected, these devices were enrolled into a centrally controlled botnet capable of launching coordinated DDoS attacks.

The attack demonstrated the systemic risk posed by insecure IoT. By overwhelming a critical piece of internet infrastructure with traffic generated by compromised consumer devices, the attackers caused widespread service disruption across multiple high-profile platforms (such as Twitter, Netflix, and CNN) simultaneously. The significance of this incident lies not only in its scale, but in its asymmetric nature as low-value consumer devices were leveraged to disrupt high-value commercial services.

The attack peaked at 1.2Tbps of traffic – twice the size of any prior attack – powered by an estimated 100,000+ hacked IoT endpoints. This demonstrated the disruptive power of insecure IoT. Mirai’s source code soon spawned many variants, and IoT botnets remain a staple of cybercrime to this day. In just the first quarter of 2025, the number of DDoS attacks worldwide jumped 110% year-on-year, driven largely by IoT botnets. One incident that year saw a botnet swell from 1.3 million to 5.8 million compromised IoT devices across a few months – a scale of attack made possible only by the vast, poorly-secured IoT population. For businesses, this reinforces the reality that IoT insecurity can contribute to systemic internet instability, even if the organisation itself is not the primary target.

Credential Harvesting and the Commoditisation of IoT Access

Beyond direct attacks, insecure IoT devices are increasingly exploited as tradable assets within the cybercriminal ecosystem. Weak or default credentials allow attackers to gain persistent access to IoT devices, which can then be sold, leased, or bundled as part of broader criminal services.

A notable example emerged in 2019 when a hacker compiled a list of 515,000 IoT device credentials (Telnet logins for routers, cameras, etc) by scanning the entire internet. Using factory-default and easily guessed passwords, the hacker accessed these devices and then posted the list online. Such lists – known as “bot lists” – are a hot commodity in the criminal underground, since they provide ready access to half a million devices ripe for malware infection.

This incident highlights how widespread IoT insecurity is: hundreds of thousands of devices openly accessible via Telnet, owing to nothing more than unchanged default passwords. It also shows the marketplace nature of IoT crime as hackers trade compromised device access like commodities. In fact, dark web forums today feature sellers offering hacked IoT devices for as little as $0.50 apiece, complete with the device’s IP address and a how-to guide for obtaining a remote shell. Buying a pre-hacked smart camera or router can let an attacker instantly backdoor a network and pivot to more valuable targets. This commoditisation of IoT exploits has lowered the skill barrier for building botnets or spy networks, since anyone with a few dollars can purchase an army of owned devices. For businesses, this means that insecure IoT devices can indirectly support criminal activity far beyond their immediate environment, increasing legal, ethical, and reputational exposure.

This is an extract of the blog, to read the full piece, click here

For more cyber news, click here