The security model of consumer IoT is fundamentally broken. Manufacturers ship devices with default credentials, ship firmware with known vulnerabilities, provide no reliable update mechanism, and design for easy setup — not security. The result is a global population of billions of always-on, always-connected devices that attackers can recruit into botnets within minutes of finding them.
How Devices Get Recruited
- Default credential scanning: attackers use masscan or zmap to find devices with open Telnet/SSH.
- Exploit scanning: post-Mirai botnets use N-day CVEs — known vulnerabilities in specific firmware versions.
- Malware dropping: once in, a small binary is downloaded and the device is registered with a C2 server.
- Silent persistence: the device continues operating normally — the owner never knows.
Attack Capabilities of Modern IoT Botnets
- Multi-vector support: Mirai-descendants can run SYN, ACK, UDP, HTTP flood, and GRE tunneled attacks on command.
- Hundreds of thousands of bots at 100Mbps each = tens of terabits total.
- Geographic distribution makes source-based blocking ineffective.
- Bot churn: infected devices are rebooted (clearing malware) constantly, so botnets cycle nodes continuously.
What IoT Owners Can Do
- Change default credentials on every device immediately.
- Enable automatic firmware updates where supported.
- Put IoT devices on a separate VLAN with no direct internet access.
- If your router's admin panel is exposed to WAN — close it.