Why are IoT devices so insecure and how are they being exploited

Is it because of compromised firmware uploaded to the device? How would someone outside my network even know that the device is connected to attack it? Wouldn’t they have to already break into my network to exploit it? Just looking for some clarity on this. Thanks.

Everyone thinks the S in IOT stands for ‘secure’, right

Fraser said:
Everyone thinks the S in IOT stands for ‘secure’, right

and the P is for privacy

There are different answers here. First off:

Wouldn’t they have to breach your network to exploit it?

Many of these cheap devices rely on open ports to function. Home security devices often expect management access from outside your home.

@Zimri
That’s not true.

Most devices connect to a vendor-operated service, bypassing the need to adjust your home firewall.

But that means those big vendors become attractive targets.

Broderick said:
@Zimri
That’s not true.

Most devices connect to a vendor-operated service, bypassing the need to adjust your home firewall.

But that means those big vendors become attractive targets.

It really depends on the system. For something like a cloud camera? Only outward connections. The NVRs businesses use for security cameras? They need inbound ports open.

Even worse, if attackers get inside the perimeter and reach an IoT device, it can be hard to remove them. Security really might not catch them, and they usually don’t bother the device’s function. We realized we had one on a network only because it was bombarding our firewall with blocked connection attempts.

@Harlow
If you’re allowing UPnP through your business firewall, you have larger issues.

Broderick said:
@Harlow
If you’re allowing UPnP through your business firewall, you have larger issues.

That’s true, but I’ve seen plenty of port forwarding settings for DVRs with default passwords, single cameras, and door control systems everywhere.

@Harlow
Yikes, I’m learning IT at community college, and I wonder why so many businesses stick with default and insecure settings. Lack of skilled people to set things up correctly?

It comes down to familiar issues

  • Poorly coded devices using many unchecked dependencies and basic default passwords. It seems many are following the same flawed approaches.

  • Not updated regularly, so even if they were secure at launch, after 6 years of neglect from whoever plugged them in, they won’t be.

  • They might be visible on the public internet, either by design or by a UPnP mistake.

/r/controllablewebcams/

And wouldn’t they have to breach your network already to exploit it?

Sort of, but initially, getting in is often easy. It can be done with a phishing email, for instance. The key is finding a foothold to install a backdoor, and IoT devices can often be treated as waiting vulnerabilities.

Is it compromised firmware being uploaded to the device?

It’s many things, including firmware exploits, default passwords, and open Telnet and HTTP ports.

How would someone from outside your network even know the device is there?

It’s generally not just one person—often it’s many already hacked devices scanning and attacking. For example:

Mirai scanned for open Telnet ports, sending TCP SYN requests to random IPv4 addresses. Once it finds open Telnet ports, it tries to infect those devices by brute-forcing login credentials.

You could also check out Mozi for a modern threat example.

And wouldn’t they have to breach your network first?

Not necessarily; they just need access to the device. They might hit it from outside and discover open ports, or your machine might get infected and then infect other local devices.

@Emery

Not necessarily; they just need access to the device. They can hit it from the outside and find ports, or your machine could get infected and in turn infect local devices.

Plus, if UPnP is on by default, and IoT developers are careless with how they set things up, there’s a chance they’ve opened gateways like that too. Users often end up with unpatched devices that invite connections.

@Emery
All I’m seeing is we should remove TCP and switch to using UDP.

Imagine how much faster everything would be!

Bran said:
@Emery
All I’m seeing is we should remove TCP and switch to using UDP.

Imagine how much faster everything would be!

I replied to this, but it seems like it didn’t go through.

@Kiernan
I’d share a UDP joke, but you might miss it.

Wilder said:
@Kiernan
I’d share a UDP joke, but you might miss it.

LOL

Here’s a helpful summary

Adding to those points, it seems every IoT device wants to communicate back home nowadays, and many developers behind these services seem to think ‘security’ is just a word their boss uses when their internship ends. One major slip-up like Solarwinds can let an attacker control all the vendor’s devices at once.

@Emil

it appears that every IoT device wants to call home.

This widespread issue is due to two primary factors:

  1. Most user networks allow unlimited outbound data but restrict inbound without specific settings, or if using UPnP, NAT-PMP, or PCP to automatically open up for inbound traffic.
  2. Control over the tech that ‘phones home’ lets vendors enforce registrations, tweak user experiences, and create revenue opportunities through IoT services instead of just selling a one-time product.

Even if vendors want to avoid this, it’s usually more complex and less maintainable than simply relying on basic outbound connections with a service, particularly one that is mobile-app driven for easy monetization.

“I’ll just open a port with UPnP and oh no, I’ve been hacked because I’m running outdated software.”