The Internet of Things was sold as convenience: cameras you could check from your phone, routers that just worked, recorders that ran themselves. The security problem is the dark side of those same properties. The devices are cheap, so margins leave little room for security engineering. They are numerous, so they form a vast attack surface. They are long-lived and rarely updated, so flaws persist for years. And they are unattended, so no one notices when one is compromised. Worst of all, many shipped with well-known factory-default passwords that buyers never changed.
The consequences became undeniable in the autumn of 2016. The US-CERT (CISA) advisory TA16-288A, “Heightened DDoS Threat Posed by Mirai and Other Botnets,” documented a malware family that “continuously scans the internet for IoT devices” such as IP cameras, home routers, and digital video recorders, and infects those still using factory-default or hard-coded credentials. Once logged in, Mirai conscripted the device into a botnet, an army of compromised gadgets ready to flood any target on command, all without their owners’ knowledge.
The advisory described the firepower this produced. Mirai-powered attacks set records, including a roughly 620 Gbps assault on the security journalist Brian Krebs’s blog, and the same malware later overwhelmed the DNS provider Dyn, knocking Twitter, Reddit, Netflix, Spotify, and many other major sites offline across much of the United States (told in full in the entry on the Dyn DDoS attack). Earlier large attacks had been built from compromised servers and PCs; Mirai showed that the explosion of insecure consumer hardware had created a new and much larger reservoir of attack capacity, available to anyone who could log in.
What turned a vulnerability into a crisis was that the Mirai source code had been published publicly shortly before the Dyn attack. Releasing the code meant the technique was no longer the property of one actor; anyone could spin up their own botnet from the same playbook, scanning the same default-credential devices. The failure was systemic rather than the fault of any single vendor: an entire industry had shipped devices whose owners could not realistically secure them and whose makers did not have to.
The episode echoes a much older lesson. Decades earlier the Morris worm had spread by exploiting default and weak configurations on networked machines, and Mirai repeated the pattern at the scale of billions of consumer gadgets. The structural fixes are slow and unglamorous: forcing unique per-device credentials, requiring signed and automatic firmware updates, and pushing regulation that makes default passwords unlawful. The IoT security problem endures because the economic incentives that created it (cheap, fast, disposable, unmanaged) are still largely in place, and every insecure device sold today is a small piece of the next botnet.