The Internet's IoT Problem Is a Stack Problem
People often talk about insecure IoT devices as if one bug caused the whole mess.
That is too generous.
What repeatedly fails in the field is the entire management stack:
- legacy protocols that assumed trusted networks
- shared or default credentials
- weak update stories
- unrestricted network interfaces
- identical firmware deployed at massive scale
That combination is what turns a cheap device into an attack multiplier.
The Numbers Are No Longer Small
This is not a hypothetical risk model.
- In its Mirai alert, CISA noted that the 2016 attack on KrebsOnSecurity exceeded 620 Gbps, and highlighted reports that the Bashlite botnet may have had about one million enslaved IoT devices.
- In June 2025, the FBI warned that BADBOX 2.0 consists of millions of infected devices and exposes home networks through botnet and residential proxy activity.
- In October 2025, ENISA said DDoS accounted for 77% of reported incidents in the 2025 ENISA Threat Landscape.
That is the core macro-risk: insecure edge devices do not just get hacked individually. They get aggregated.
Why Certain Protocol Patterns Keep Failing
The problem is not that every old protocol is mathematically broken. The problem is that many of them were designed for private, operator-controlled environments, then later deployed on internet-exposed or poorly segmented networks.
| Protocol or pattern | Original assumption | Modern failure mode | Safer direction |
|---|---|---|---|
| Telnet / plaintext admin | Trusted operator LAN | Credential capture, brute-force, mass scanning | SSH, HTTPS, brokered remote access |
| SNMP v1 / v2c | Shared communities on managed networks | Unencrypted management traffic and easy reuse of credentials | SNMPv3 or scoped APIs with TLS |
| Legacy remote config interfaces | LAN-only or ISP-only access | Misexposure, weak auth, remote reconfiguration | Mutual auth, explicit authorization, closed management plane |
| Unsigned or weakly controlled app / update channels | Vendor controls the ecosystem | Backdoored devices at purchase or setup time | Verified updates and trusted software distribution |
The FBI's August 20, 2025 alert on Russian government cyber actors is especially blunt here: the bureau said those actors compromised networking devices globally, especially devices accepting legacy unencrypted protocols like SMI and SNMP versions 1 and 2.
That is not a theoretical standards critique. That is an operational intrusion pattern.
NIST's Baseline Explains the Failure Mode Clearly
NIST IR 8259A is useful because it does not start with brand names or today's incident of the week. It starts with the device capabilities that should exist if a product is going to survive on a real network.
The NIST IoT device cybersecurity baseline calls out capabilities for:
- device identification
- device configuration
- data protection
- restricted access to interfaces
One line from that baseline is especially relevant to routers, gateways, and exposed appliances: limiting access to interfaces reduces the attack surface because unrestricted network access significantly increases the likelihood that the device will be compromised.
That is the whole story in one sentence.
Mirai, BADBOX, and Router Abuse Follow the Same Pattern
Even when the malware families differ, the abuse chain often looks similar:
- A device ships with weak defaults or a compromised supply path
- It exposes an interface that should have been tightly restricted
- Attackers automate discovery at scale
- The device becomes part of a botnet, proxy network, or reconnaissance platform
Mirai turned insecure IoT into DDoS infrastructure.
BADBOX 2.0 turned compromised consumer devices into botnet and residential proxy infrastructure.
Recent FBI and CISA guidance on router hardening keeps coming back to the same practical advice:
- disable legacy unencrypted protocols
- patch internet-facing systems quickly
- restrict management interfaces
- stop shipping devices with weak trust assumptions
That repetition is the signal. The industry already knows what breaks.
Why Cheap IoT Risk Becomes Global Net Risk
There are four reasons insecure device stacks scale into global problems:
1. Homogeneity
Millions of devices run nearly identical firmware. One exploit path can fan out very quickly.
2. Persistence
Many devices sit unpatched for years, especially in homes, branch offices, and low-touch embedded deployments.
3. Good network position
Routers, gateways, cameras, and smart appliances live at useful points in the network. Once compromised, they can proxy, scan, observe, or disrupt.
4. User invisibility
Owners often do not notice the compromise at all. The device still "works," while the attacker monetizes the connection in the background.
That last point is what makes residential proxy abuse so dangerous. The victim is not merely a victim; they are unknowingly turned into infrastructure.
The Defensive Move Is Not "Better Monitoring" Alone
Monitoring helps, but it is not the foundation.
The deeper fix is to stop shipping IoT products with the exact properties attackers automate against:
- no unique identity
- weak interface restrictions
- unencrypted management
- weak update integrity
- shared secrets across fleets
If a vendor cannot meet that bar, the product may still function as a gadget, but it is not fit to operate safely as a long-lived internet-connected node.
What Network Operators Should Do Right Now
If you run fleets of routers, gateways, or embedded Linux devices, this is the short list:
- Turn off Telnet, SNMP v1, and SNMP v2c anywhere they are still exposed
- Move management behind authenticated overlays or mutually authenticated HTTPS / SSH
- Audit default credentials and shared secrets
- Patch internet-facing systems first
- Treat cheap unmanaged IoT as a supply-chain risk, not just an asset inventory line item
That last point is increasingly important. BADBOX 2.0 showed that compromise can exist before or during setup, not only after a public exploit lands.
Sources and White Papers
- CISA - Heightened DDoS Threat Posed by Mirai and Other Botnets
- FBI - Home Internet Connected Devices Facilitate Criminal Activity (BADBOX 2.0)
- FBI - Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure
- CISA advisory snippet on disabling Telnet and SNMP v1 / v2c
- NIST IR 8259A - IoT Device Cybersecurity Capability Core Baseline
- ENISA Threat Landscape 2025 press release