The Internet of Threats: Securing Our Smart devices 

Intro to IoT 

Over 50% of Internet of Things (IoT) devices have critical vulnerabilities that hackers can exploit right now. Even more alarming, one in five IoT devices still uses default passwords, making them absurdly easy to breach.  

That’s like installing a high-tech security system and leaving the key under the doormat. 

 IoT has quietly become the nervous system of modern life. From our homes to hospitals, factories to traffic lights, billions of devices are communicating with each other for efficiency, convenience and data-driven decisions. 

But beneath the seamless automation lies a growing and often overlooked concern.  

Security.  

As the IoT market expands at an astonishing pace, many devices are being produced with minimal protection, creating millions of potential entry points for cybercriminals. The very connections that make IoT useful also make it vulnerable. (Explain what IoT devices are and give examples -) 

A common and avoidable vulnerability in many IoT devices is the use of weak or default login credentials. Devices are often shipped with generic usernames and passwords such as admin/admin or user/1234, and users may not be prompted or know to change them. 

This presents a clear risk: 

• Automated scanning tools can identify devices still using factory settings, making them easy targets for unauthorised access. 

• Botnets have exploited default credentials to control thousands of IoT devices and launch Distributed Denial-of-Service (DDoS) attacks. 

• Limited user awareness means many individuals are unaware that default credentials need to be changed as soon as the device is setup.  

According to a 2020 report by Palo Alto Networks (https://start.paloaltonetworks.com/unit-42-iot-threat-report), almost all (98%) of IoT device traffic is unencrypted, and many devices run outdated operating systems. They further state that 57% of devices are vulnerable to medium-or high-severity attacks. When combined with weak credentials, this significantly increases the potential for exploitation. 

In order to mitigate this risk 

• Change passwords straight away: Nowadays, router credentials, should all be randomised on purchase, but this may not be the base for all models, ensure you check this during your purchase and check again once the device has been bought. 

• Keep devices updated: Check regularly for updates and install them. Turn on automatic updates if available. 

• Secure your Wi-Fi: Use a strong password for your home Wi-Fi and don’t share it widely. 

• Use a guest network: Put your smart devices on a separate Wi-Fi network from your phone or laptop. 

• Turn off what you don’t use: Features like Bluetooth or remote access should be disabled if not needed. 

• Watch what’s connected: You can use apps like “fing” to scan and see what devices are on your network. 

Bonus Tip: For users in the UK, purchasing devices online, or buying second-hand devices,  ensure the devices are compliant With the Product Security and Telecommunications Infrastructure Act (PSTI). This legislation sets mandatory cybersecurity requirements for all smart devices sold in the UK. 

Ghost in the walls: How hackers digitally Entered a home 

Another more chilling case occurred, where NBC Chicago (https://www.nbcchicago.com/news/national-international/my-blood-ran-cold-as-smart-cameras-thermostat-hacked-homeowner-says/6523/) reported that A Lake Barrington homeowner hasn’t had a restful night’s sleep in 10 days, after he said his Nest home security cameras and thermostats were accessed by malicious hackers. Arjun Sud reported that he heard a strange noise coming from his 7-month-old son’s room.  

“Right as I approached the baby’s room, I heard a deep voice talking to him,” 

Sud’s wife also realised that the thermostat had been turned up to a dangerous 90°F (32.2°C). Sud immediately, brought his distressed son downstairs, where another camera activated and someone started cursing at them.  

Google, the owner of Nest also reported that their systems were not breached. NBC, reported that many customers have used compromised passwords, and went on to reveal that Sud did not use MFA as he didn’t realise that it was an option.  

In order to prevent breaches like this users should 

• Enable MFA controls 

• Use unique passwords for different tools  

•  If the device manual isn’t clear, look up a quick how-to video online or check forums like Reddit, to see other user’s tips and experiences with the products 

• Some IoT devices support automatic remote access toggling so your device knows when you’re home or away. When you leave the house, it can switch on remote access. This lets you control things like cameras or thermostats from afar. When you return, it shuts remote access off. This technology uses your mobile phone to detect your proximity to your IoT devices or hub. 

  
  

Final thoughts 

IoT Devices with weak passwords, outdated software, and open access points are in homes, offices, even public infrastructure. 

What makes this especially concerning is that the problems are well known. The risks have been demonstrated, and real incidents continue to happen. But despite this, many devices remain vulnerable. 

Basic steps like using strong, unique passwords, enabling two-factor authentication, keeping software up to date, and checking which devices are connected can significantly reduce risk. 

At Data Privacy Simplified, we help organisations strengthen their data security, navigate regulatory requirements, and implement effective protection measures. For more information on how we can help improve your organisations data and cyber security posture visit our website - Data Privacy Simplified | Data Protection - and feel free to drop us an email at  enquiries@dataprivacysimplified.co.uk. Let’s work together.