Securing the unseen: Why Internet of Things is your weakest link

By David Sehyeon Baek

The Internet of Things (IoT) has quietly become an integral part of daily life. From voice assistants and connected doorbells to industrial control systems and hospital monitoring equipment, these devices offer unprecedented convenience, efficiency, and insight.

Yet, as the world prepares to reach over 27 billion IoT devices by 2025, a growing unease shadows this digital transformation: the escalating risk of cyberattacks targeting poorly secured devices.

Attack Surfaces and Known Threats

The IoT ecosystem, by its very nature, expands the attack surface. Many of these devices are designed with limited memory, processing power, or even user interfaces—constraints that too often result in weak security protocols. Manufacturers, racing to meet demand and reduce costs, sometimes overlook foundational protections. It is also not uncommon for devices to ship with default passwords, such as ‘admin’ or ‘1234’, or operate with open network ports using outdated protocols like Telnet. These insecure settings create a welcome mat for attackers.

More disturbingly, vulnerabilities often go unpatched. Unlike laptops or smartphones that routinely notify users of updates, many IoT devices lack update mechanisms entirely or require complex manual intervention. Even when patching is possible, users may be unaware of the risks or unwilling to update devices they view as low-priority. The result is a sea of vulnerable endpoints, ripe for exploitation.

And exploit them hackers do. One of the largest IoT-specific attacks to date is the Mirai botnet, which began in 2016 and continues to cast a long shadow over cybersecurity. By exploiting weak default passwords in millions of devices—ranging from routers to security cameras—Mirai created massive botnets that launched some of the largest distributed denial-of-service (DDoS) attacks ever recorded.

In one instance, a Mirai-powered attack reached 1 Tbps against hosting provider OVH. Another crippled DNS provider, Dyn, temporarily brought down major services like Twitter (now X), Netflix, and Reddit. More than 150,000 devices were hijacked in a single wave, but the total number impacted across variants may have easily crossed millions. While Mirai’s source code was eventually published online, that only fueled the creation of more powerful and adaptive successors, many of which still search the Internet for unprotected devices.

Despite the passage of nearly a decade, no known IoT-specific incident in 2025 has matched Mirai in terms of real-time disruption or scale of device compromise. That said, this year did see an alarming development: a massive data breach exposing 2.7 billion records, reportedly linked to Russian military hackers. By compromising the Wi-Fi of a nearby organisation, they gained access to an IoT-enabled network in Washington, DC, exfiltrating vast volumes of data. Though this breach did not result in immediate service disruption, it illustrates how IoT vulnerabilities can serve as invisible entry points for espionage or sabotage.

These threats continue to evolve. IoT devices now face not just brute-force or malware attacks, but also more sophisticated methods like man-in-the-middle interception, firmware manipulation, and supply chain infiltration. The stakes are growing higher by the day. A compromised thermostat is an inconvenience. A hijacked infusion pump or traffic control system can be catastrophic.

Building Security into Design

The path forward begins with best practices. Changing default credentials, enabling multifactor authentication, segmenting networks, and ensuring regular firmware updates are essential. Developers must adopt secure coding principles and test devices for vulnerabilities before deployment to ensure security.

Security can no longer be treated as an afterthought—it must be embedded at the design phase. It must be architected, not added later. Government efforts are advancing this agenda. From the US’s IoT Cybersecurity Improvement Act to the EU’s Cyber Resilience Act and the UK’s Product Security and Telecommunications Infrastructure Act, regulators are building a foundation for device-level accountability.

Technology, Trust and the Road Ahead

Artificial Intelligence and Machine Learning are emerging as pivotal tools in the defence of IoT environments. With billions of devices generating terabytes of traffic, manual monitoring is no longer feasible. AI can detect anomalies in real time, flagging suspicious behaviour or shutting down compromised connections before harm spreads. Behavioural models can establish baselines for normal device activity and recognise even subtle deviations. Automation enables security at scale.

But this power comes with risk. Adversarial machine learning is a growing threat, where attackers feed manipulated data into AI systems to evade detection. Poorly trained models can produce false positives, miss actual threats, or become vectors for entirely new classes of attack. As defenders automate, so do adversaries—some malware strains now adapt in real-time, learning from each failed attempt.

This creates a technological arms race in which speed, intelligence, and adaptability are the defining factors of success. Relying solely on automation is not enough; human oversight, layered defences, and continuous updates remain vital. Security is a moving target.

Innovations like blockchain also offer new approaches. Distributed ledgers can authenticate devices and record activity in tamper-proof logs. Meanwhile, the rise of 5G and edge computing promises faster, more secure data exchange, allowing processing to occur closer to the source and reducing exposure. At the same time, cryptographic communities are preparing for quantum-era threats by developing post-quantum encryption standards.

No single technology will solve the problem. An effective IoT security solution requires a multifaceted approach—one that includes vigilance, regulation, innovation, and above all, a fundamental shift in mindset. Security can no longer be reactive. It must be anticipatory, proactive, and continuous.

As we approach an era of more than 40 billion connected devices by 2030, the challenges will deepen. Whether through disruptive events like Mirai or quieter breaches of mass data exposure, the lesson is the same: IoT security is not just about technology—it is about trust, resilience, and responsibility.

In this connected world, securing the Internet of Things is everyone’s responsibility. Governments must enforce regulations, manufacturers must build with care, enterprises must secure their networks, and users must stay informed. Only through shared effort and persistent innovation can we ensure that the digital future we are building is not only smart but also safe.

The author is the Founder and CEO of PygmalionGlobal. He collaborates with multiple cybersecurity companies, including NPCore Inc. in South Korea, and engages with government agencies and conglomerates across Asia.