Every 105 seconds, threat actors launch roughly 1,000 automated attacks against internet-connected devices. In 2025, that cadence averaged 820,000 malicious IoT hacking attempts per day, a 46% jump from the year before, and early 2026 data shows no deceleration. This report documents the current state of IoT security through verified statistics: attack volumes, targeted devices, vulnerable industries, and the geographic distribution of threat activity. The numbers are drawn from Zscaler ThreatLabz, Forescout, and Nozomi Networks telemetry, covering the period through early 2026.
What Is IoT Hacking?
IoT hacking is the unauthorized access, manipulation, or exploitation of internet-connected devices- any physical object embedded with sensors, software, or network connectivity that exchanges data with other devices or systems. This includes home routers, IP cameras, smart TVs, industrial sensors, medical equipment, and building control systems. When attackers compromise these devices, they can use them to spy on networks, launch large-scale cyberattacks, steal credentials, disrupt physical operations, or hold critical infrastructure to ransom.
Unlike traditional computer hacking, IoT hacking typically exploits devices that have no screen, no user interface, and no security monitoring, meaning compromises go undetected for months while the attacker uses the device as a persistent foothold inside an organization’s network.
What risk is posed by Internet of Things devices?
IoT devices pose four primary security risks. First, most ship with factory-default credentials that are publicly known and rarely changed, giving attackers an open login path. Second, the majority run embedded firmware that receives no automatic updates, leaving known vulnerabilities exploitable indefinitely. Third, approximately 98% of IoT device traffic is transmitted unencrypted, exposing credentials and commands to interception. Fourth, IoT devices are typically deployed without active security monitoring, meaning a compromised device can operate as an attacker asset, routing traffic, harvesting credentials, or participating in botnet attacks, while appearing to function normally. Together, these four conditions make IoT devices among the most reliably exploitable assets in any network environment.
Why is IoT cybersecurity important?
IoT cybersecurity is important because compromised connected devices are not just a data risk; they pose operational and physical risks. A hacked industrial sensor can halt a production line. A compromised medical device can delay patient care. A hijacked router gives an attacker visibility into every unencrypted session on the network. In 2025, IoT-related breaches averaged $10 million in damages per incident in healthcare alone, and the energy sector saw a 459% increase in IoT-targeted attacks. As the global IoT device count approaches 40 billion by 2030, the attack surface will continue to expand faster than the security investment required to defend it.
Key Numbers (2026 Outlook)
820,000+ IoT Attacks Per Day In 2025, threat actors launched an average of 820,000 malicious IoT hacking attempts every single day, a 46% year-over-year increase. Global threat telemetry also recorded a 16.7% increase in active scanning activity, indicating that attackers’ bots are probing more aggressively for open ports, default credentials, and unpatched firmware. Early 2026 indicators suggest this volume is not plateauing.
124% Surge in IoT Malware: IoT malware incidents spiked 124% year-over-year in 2025; the pool of devices recruited into botnets and malware campaigns more than doubled in a single year. The primary driver is the explosive growth of Mirai-family variants, which alone accounted for approximately 40% of observed IoT malware payloads. 2026 is on track to extend that trajectory.
75% of IoT Attacks Target Routers: Routers remain the most compromised device category, accounting for over 75% of all observed IoT cyberattacks. Attackers target them via command injection flaws and buffer overflow vulnerabilities in unpatched firmware; older Netgear models in particular remain active exploit targets, with CVEs dating back to 2016 still being weaponized in the wild.
40% of IoT Malware Hits Manufacturing and Transportation: Manufacturing and Transportation each absorbed roughly 20% of all IoT malware incidents in 2025, together representing 40% of total attack volume across sectors. In 2024, Manufacturing alone accounted for 36% of incidents; the broadening distribution in 2025 signals that threat actors are actively diversifying their operational targets beyond a single industry.
54% of IoT Attack Traffic Targets the United States. The United States is the primary destination for IoT attack traffic, accounting for 54% of observed malicious activity in recent telemetry. Hong Kong follows at approximately 15%, and Germany at 7%. The concentration reflects both the density of connected devices in these regions and the adversaries’ consistent focus on high-value Western infrastructure.
Most Common Types of IoT Cyberattacks
The most common type of cyberattack in IoT networks is a DDoS attack launched via a botnet; compromised devices are recruited en masse and directed to flood a target with traffic until it goes offline. Beyond DDoS, IoT environments face six distinct attack categories, each exploiting a different structural weakness in how connected devices are built and deployed.
Distributed Denial-of-Service (DDoS) via IoT Botnets
DDoS attacks accounted for over 35% of all OT and IoT security alerts recorded in 2025, making them the most frequently observed attack category in connected device environments. The mechanism is scale: attackers compromise thousands or millions of IoT devices, routers, cameras, smart TVs, and direct their combined traffic at a single target simultaneously. The target’s infrastructure cannot distinguish legitimate from malicious requests at that volume and goes offline. The Aisuru botnet, documented in 2025, produced a 29.7 Tbps DDoS attack using exactly this model, one of the largest volumetric attacks on record, built entirely from compromised consumer IoT devices.
Botnet Recruitment and Credential Brute-Forcing
Botnet recruitment is the precondition for most large-scale IoT attacks. Automated scripts cycle through known factory-default credentials, “admin/admin” being the most documented, testing every reachable device on the internet until they find one that hasn’t had its login changed. Nozomi Networks’ telemetry found that brute-forcing default SSH and Telnet credentials was the single leading attack technique across all IoT and OT incidents analyzed, accounting for 7.4% of all detected malicious actions. Mirai-family malware, which uses this exact method, accounted for approximately 40% of all IoT malware payloads observed by Zscaler in 2025. Once recruited, a device joins a botnet infrastructure that its owner typically has no visibility into.
Man-in-the-Middle (MitM) Attacks
Man-in-the-middle attacks exploit the fact that approximately 98% of IoT device traffic is transmitted in plaintext, credentials, commands, and operational data moving across networks without encryption. An attacker positioned between a device and its management platform can intercept authentication tokens, read commands, inject malicious instructions, or redirect traffic without breaking any cryptographic protection, because none exists to break. Router compromise is the primary enabler: a hijacked home or enterprise router gives an attacker a MitM position over every device on that network simultaneously. The DKnife framework, exposed by Cisco Talos in February 2026, was built specifically around this model. This China-linked toolkit compromised routers, enabling it to inspect and manipulate all traffic passing through them in real time.
Ransomware Targeting IoT and OT Environments
Ransomware operators have shifted focus toward IoT and operational technology environments because the leverage is categorically higher than in standard IT attacks. Encrypting files costs an organization data. Encrypting or disrupting the firmware of industrial controllers, connected medical equipment, or utility management systems costs an organization its ability to operate physically. OT-targeting ransomware activity jumped 46% in early 2025 as operators recognized that manufacturing downtime runs to millions of dollars per day and healthcare device disruption forces patient diversions, both conditions that compress the time pressure to pay. In 2025, ransomware campaigns specifically sought propagation pathways from IT networks into OT environments, using compromised IoT devices as the bridge.
Firmware Exploitation and Persistent Implants
Firmware exploitation targets the embedded software running on IoT devices, lightweight operating systems that typically receive no automatic updates and, in many cases, no patches at all after the device ships. Attackers scan for devices running firmware versions with publicly known CVEs, then exploit those vulnerabilities to gain persistent access that survives reboots and standard remediation attempts. Mirai variants and successor botnets like Mozi and Gafgyt are built on this model, targeting CVEs that were patched years ago but remain exploitable on unupdated hardware. A Mirai-based botnet called Broadside, active in late 2025, exploited a year-old firmware vulnerability in TBK-brand DVRs that the majority of deployed units had never patched. More sophisticated actors use firmware exploitation to plant persistent implants. The TOTOLINK EX200 vulnerability, disclosed in January 2026, allowed an authenticated attacker to trigger an unauthenticated root telnet service, granting full device control with no fix available from the manufacturer.
Cryptojacking
Cryptojacking repurposes compromised IoT devices to mine cryptocurrency on the attacker’s behalf, consuming the device’s compute resources without the owner’s knowledge. It is less destructive than ransomware but harder to detect because the device continues to function normally; it simply runs slower and consumes more power. Smart TVs, set-top boxes, and routers with sufficient processing capacity are the primary targets. A documented 2025 incident involved Mirai malware compromising a city’s IoT traffic camera network and using it for cryptomining, a case that demonstrated both the accessibility of civic IoT infrastructure and the range of monetization options available to attackers once a device is compromised.
Supply Chain Compromise
Supply chain compromise is the most operationally complex attack type and the one with the longest potential dwell time; devices arrive at their destination already infected, before the first network connection is made. BadBox 2.0, active across 2024 and into 2025, pre-infected over 10 million Android-based smart TVs and streaming boxes at the manufacturing stage, using them subsequently for residential proxy abuse, click fraud, and credential-stuffing operations. The user had no opportunity to prevent the compromise because it occurred before purchase. Supply chain attacks require significantly more operational overhead than credential brute-forcing. Still, they bypass every post-deployment security control an organization has implemented; device inventory, network segmentation, and behavioral monitoring are all ineffective against a device that was malicious before it was ever enrolled.
Volume and Types of IoT Cyberattacks
IoT attack volume in 2025 reached levels that security researchers describe as a permanent background condition rather than a series of discrete campaigns. The daily average of 820,000 hacking attempts largely consists of automated activity, opportunistic scans, and mass-exploit scripts cycling through IP ranges, testing for default credentials, open Telnet ports, and known firmware vulnerabilities. A device connected to the internet today is typically probed within minutes of going online.
Alongside sheer volume, the sophistication ceiling is rising. Malware-driven incidents surged 124% year-over-year, driven by an expanding ecosystem of IoT botnets that recruit cameras, routers, and consumer smart devices at scale. The largest of these, the Aisuru botnet, was exposed in 2025 and produced one of the most powerful DDoS attacks ever recorded, peaking at 29.7 Tbps. The infrastructure enabling that kind of firepower is no longer an anomaly; it reflects a maturing market for IoT-based attack-as-a-service.
Two threat patterns now dominate the landscape:
High-volume disruptive attacks, DDoS and denial-of-service campaigns launched via IoT botnets accounted for over 35% of all OT/IoT security alerts in 2025. These attacks target telecom providers, internet infrastructure, and industrial control systems, aiming to cause outages rather than extract data. They are frequently opportunistic, directed at wherever large concentrations of compromised devices can generate traffic.
Targeted intrusions and ransomware: Ransomware groups have aggressively shifted toward operational technology environments, recognizing that disrupting physical operations yields stronger leverage than encrypting files alone. OT-targeting ransomware activity jumped 46% in early 2025. Simultaneously, nation-state actors are embedding themselves in IoT edge devices, routers, switches, and telecom appliances, for long-term surveillance. The Chinese Salt Typhoon campaign, exposed in late 2025, compromised network devices across 80 countries, enabling interception of phone traffic at the infrastructure level. These are not isolated incidents; they represent a strategic reorientation toward the network layer as a persistent foothold.
Most Targeted IoT Devices: From Routers to Smart Cameras
Not every connected device poses the same risk. Attack distribution across the IoT ecosystem is heavily skewed; a handful of device categories absorb the overwhelming majority of malicious activity. In contrast, others become high-value targets in more surgical campaigns. Understanding that distribution is the first step in assessing where exposure actually lives.
Routers: 75% of All IoT Attacks
Home and small-business routers are the dominant target in IoT threat telemetry, and by a wide margin. According to Zscaler’s mid-2025 ThreatLabz report, routers accounted for over 75% of all observed IoT cyberattacks, making every other device category a distant second. The concentration makes sense: routers are deployed at scale, rarely updated, and positioned at the exact choke point where all network traffic passes. Compromise one, and an attacker sees everything that flows through it.
The technical entry points are well-documented. Command injection and buffer overflow flaws in unpatched firmware remain the primary vectors, with older device models carrying vulnerabilities that have been publicly known for nearly a decade. CVE-2016-10174 and CVE-2018-10561, both targeting specific Netgear models, are still being actively exploited in 2025 and into 2026, long after patches were issued, because a significant portion of deployed routers have never received a firmware update. Once inside, a hijacked router serves dual purposes: it can be conscripted into a DDoS botnet or used to intercept and redirect unencrypted traffic in man-in-the-middle attacks.
IP Cameras and NVRs: The Surveillance Blind Spot
Beyond routers, IP cameras and network video recorders are the most consistently targeted device class in enterprise and consumer environments. Forescout’s global threat telemetry found that IoT devices, as a category, rose to 19% of all observed exploits in 2025, up from 16% the prior year, with cameras and NVRs topping the list of most-targeted devices. The attack surface is structural: these devices ship with default credentials, run minimal embedded operating systems that go years without patches, and are exposed to the internet either intentionally (for remote monitoring) or accidentally (through misconfigured networks).
A compromised IP camera is a dual-use asset for attackers. It can be used to surveil physical spaces, an obvious privacy threat in homes and businesses, while simultaneously serving as a botnet node for generating attack traffic. That combination of reconnaissance value and compute utility makes cameras attractive targets even when the victim organization is not the primary objective.
Consumer IoT: The BadBox 2.0 Precedent
The consumer IoT surface extends well beyond cameras. Smart TVs, baby monitors, connected appliances, and streaming entertainment boxes have all documented compromises, and the most significant recent case established a troubling new vector. The BadBox 2.0 botnet, active across 2024 and into 2025, pre-infected over 10 million Android-based smart TVs and streaming boxes at the manufacturing stage. Devices reached consumers already enrolled in a botnet. There was no user action, no phishing link, no exploited vulnerability post-purchase; the malware shipped with the product.
The BadBox 2.0 infrastructure was subsequently used for residential proxy abuse, click fraud, and credential stuffing. The case matters not because smart TVs are uniquely valuable targets, but because it demonstrated that the supply chain itself is a viable infection vector at consumer scale. The implication for 2026 and beyond: a device can be compromised before it ever connects to a network.
Industrial and Medical IoT: Highest Cost Per Incident
Industrial field sensors, smart controllers, and medical IoT devices, collectively known as the Internet of Medical Things (IoMT), when deployed in healthcare, occupy a different threat category. They are not targeted opportunistically at the volume that routers and cameras are. Instead, they are pursued selectively, in campaigns where the payoff justifies the operational complexity.
The financial exposure in healthcare reflects that calculus precisely. Breaches involving IoMT devices in hospital environments average approximately $10 million in damages per incident, the highest cost per breach of any sector tracked. Ransomware affecting infusion pumps, remote patient monitoring systems, or radiology equipment doesn’t merely encrypt data; it forces patient diversions, delays critical care, and triggers regulatory consequences that compound well beyond the initial ransom demand. The disruption is physical, not just digital, which is exactly why these environments have become a priority target for ransomware operators seeking maximum leverage.
The Legacy Device Problem
Across all categories, legacy hardware is the common denominator. Devices running outdated firmware, carrying factory-hardcoded credentials, or manufactured without a viable patch lifecycle represent a permanently vulnerable layer in any network that hasn’t actively removed them. CISA’s 2026 directive requiring federal agencies to remove unsupported IoT edge devices from their networks is an acknowledgment of a problem that the private sector has been slower to address: a connected device that will never receive another security update is not a managed asset; it is a persistent liability. The remediation calculus for most organizations is no longer whether to retire legacy IoT hardware, but how fast.
Common Attack Vectors: How Hackers Exploit IoT Devices
The gap between IoT’s perceived sophistication and the actual mechanics of most IoT breaches is striking. Nation-state toolkits and AI-generated exploits dominate the threat narrative. Yet, the overwhelming majority of successful IoT compromises trace back to three failures documented for over a decade: weak credentials, unpatched firmware, and unencrypted communications. Attackers don’t need novel capabilities when the baseline security posture of most deployed IoT hardware remains this poor.
Default Credentials: Still the #1 Entry Point
Brute-forcing factory-default usernames and passwords remains the single most common technique for gaining initial access to IoT devices. Nozomi Networks’ analysis of real-world IoT and OT incidents found that brute-forcing default SSH and Telnet credentials accounted for 7.4% of all detected malicious actions, the leading individual attack technique in their dataset. A further 5.3% of incidents involved lateral movement using those same default credentials after initial access was established.
The underlying cause is structural. A large share of IoT devices ship with hardcoded logins, “admin/admin” being the most documented, and no enforcement mechanism that compels users to change them. OWASP classifies this as the top entry in the IoT Top 10 under “Weak, Guessable, or Hardcoded Passwords,” and it has held that position across multiple revision cycles. Automated credential-stuffing scripts cycle through known default combinations at scale, continuously testing every reachable device on the internet. For any device that has never had its factory login changed, compromise is a matter of when, not whether.
Unpatched Firmware: The Exploit That Never Expires
IoT devices typically run lightweight embedded operating systems with no auto-update capability and, in many cases, no viable patch path. Manufacturers ship firmware, move on to the next product cycle, and a significant portion of deployed hardware never receives a single security update. That static attack surface is the foundation on which modern IoT botnets are built.
Mirai-family malware, which exploits publicly known firmware vulnerabilities and uses default credentials, accounted for roughly 40% of all IoT malware payloads observed by Zscaler in its most recent telemetry. Successor botnets, such as Mozi and Gafgyt, and their variants, follow the same pattern, targeting CVEs that were patched years ago but remain exploitable on devices that have never been updated. In late 2025, a Mirai variant called “Broadside” exploited a year-old vulnerability in TBK-brand DVRs deployed in commercial CCTV systems, conscripting thousands of devices into its botnet infrastructure. The vulnerability had a patch. The devices had never received it.
This is the defining characteristic of the unpatched firmware problem: exploits don’t expire when a CVE is published. They expire when devices are updated or replaced, and for a large portion of deployed IoT hardware, neither event occurs.
Insecure Protocols: 98% of IoT Traffic Is Unencrypted
The third systemic failure is at the protocol layer. Approximately 98% of IoT device traffic is transmitted in plaintext, credentials, commands, and operational data moving across networks without encryption. That exposure enables straightforward man-in-the-middle attacks: an adversary positioned between a device and its management platform can intercept authentication tokens, inject commands, or hijack sessions without breaking any cryptographic protection, because none exists.
In industrial IoT environments, the problem extends further. Protocols like Modbus, BACnet, and EtherNet/IP were designed for closed operational networks and do not provide built-in authentication or encryption. As those environments have connected to broader enterprise and internet infrastructure, their implicit trust model has become a direct attack surface. In 2025, attacks abusing OT protocols jumped 84% year-over-year, with Modbus-targeting activity alone rising 57%. Attackers targeting industrial systems don’t need to break into a device; they need to speak its protocol, and that protocol trusts them by default.
Supply Chain Compromise: Infection Before First Boot
The most operationally complex vector, and the one with the longest dwell time, is supply chain compromise. Rather than exploiting a device after deployment, adversaries infect firmware or embedded software during Manufacturing or distribution, so that devices arrive at their destination already enrolled in an attacker’s infrastructure.
BadBox 2.0 is the clearest recent example at consumer scale: over 10 million Android-based smart TVs and streaming boxes shipped with pre-installed malware, which was subsequently used for residential proxy abuse and credential-stuffing operations. Beyond consumer hardware, sophisticated actors have embedded backdoors in IoT firmware, which have been identified in industrial and network infrastructure devices. These implants are harder to detect than post-deployment exploits and survive factory resets, firmware reinstallation, and standard incident response procedures.
The concern entering 2026 is not that supply chain attacks will replace credential brute-forcing as the dominant vector; they won’t, given the operational overhead. The concern is that as governments push Secure-by-Design mandates and close off the easiest post-deployment entry points, sophisticated actors will increasingly rely on pre-deployment access as a durable fallback. Evidence of that shift was visible in 2024 and 2025 across camera and router supply chains originating in Asia.
The Pattern Underneath All Four Vectors
Each of these attack vectors shares a common structural cause: IoT devices are routinely shipped with security treated as an afterthought, deployed without hardening, and left in service long after their security baseline becomes indefensible. Default credentials, unpatched firmware, plaintext protocols, and compromised supply chains are not four separate problems; they are four expressions of the same Manufacturing and procurement failure. Basic hygiene across all four would eliminate the majority of IoT compromise incidents. Until that hygiene is enforced at the point of manufacture and deployment rather than left to end users, the economics of IoT attacks will continue to favor the attacker.
Geographic Spread and Industry Impact
IoT attack infrastructure in 2025 became genuinely global in a way that previous years’ data didn’t fully reflect. Forescout’s threat analysts tracked malicious activity across 214 countries and territories over the year, effectively every connected corner of the world. More significant than the geographic breadth is the shift in concentration: the top ten source countries accounted for only 61% of observed attacks in 2025, down from 83% in 2024. Attack origin is dispersing, which complicates both attribution and perimeter-based defense models that assume threats arrive from identifiable regions.
The operational reality this creates is a routing problem as much as a targeting one. A compromised security camera in Southeast Asia can generate attack traffic directed at a hospital in North America, with the command-and-control server managing that operation hosted on a cloud instance in Europe. Each node in that chain falls under a different jurisdiction, legal framework, and defensive responsibility. Geographic attribution becomes a forensic exercise rather than an actionable defensive signal.
Target Distribution: Where Attack Traffic Lands
Despite the dispersal of the attack’s origin, the target concentration remains pronounced. The United States absorbs 54% of observed IoT attack traffic, more than all other countries combined in most datasets. Hong Kong accounts for approximately 15% and Germany for 6–7%, reflecting the density of connected devices and high-value infrastructure in those regions. Western Europe and developed Asia are the primary target geographies for IoT-focused campaigns.
One data point from Nozomi Networks’ early 2025 telemetry warrants specific attention: the United States overtook China as the top country hosting compromised IoT botnet nodes, the first time China had not held that position since 2022. The implication is that a substantial number of American consumer and commercial IoT devices- thermostats, dash cameras, smart appliances- have been enrolled into global botnet infrastructure without their owners’ knowledge. The U.S. is simultaneously the largest target of IoT attacks and an increasingly significant source of the attack traffic directed elsewhere.
Manufacturing: Uniquely Vulnerable by Architecture
Manufacturing has been the most consistently targeted sector in IoT threat telemetry across multiple years. Zscaler’s data shows it absorbed over 20% of IoT malware incidents in 2025, and while that represents a distribution shift from 2024, when Manufacturing alone accounted for more than one-third of all incidents, the absolute volume of attacks against the sector continued to grow.
The reason researchers describe Manufacturing as “uniquely vulnerable” is architectural: factory IoT devices, sensors, robotic controllers, and programmable logic controllers routinely bridge to OT systems that govern physical equipment. A compromise that begins with a networked sensor doesn’t stay in the IT layer. It can propagate into the operational layer and halt production lines directly. Manufacturing downtime costs millions per day at scale, which is precisely why ransomware operators have prioritized the sector; the leverage-to-effort ratio is higher than in almost any other environment.
Energy and Utilities: 459% Attack Increase in 12 Months
The energy sector recorded a 459% increase in observed IoT-based attacks between mid-2024 and mid-2025, the steepest year-over-year escalation of any sector in the period. Electric grids, oil and gas infrastructure, and water utilities have rapidly deployed IoT instrumentation, including smart meters, pipeline sensors, and remote monitoring systems across geographically distributed assets. That expansion has outpaced security investment in most cases.
Most of the observed attack volume consists of malware probing for known vulnerabilities rather than executed intrusions. Still, the risk of a successful breach is categorically different from that in most sectors. An IoT compromise in energy infrastructure can trigger power outages, safety shutdowns, or environmental incidents with consequences that extend far beyond the attacked organization. Late 2025 and early 2026 produced multiple reports of probable nation-state actors targeting utility network appliances, routers and VPN devices at substations and control facilities, in what analysts assessed as pre-positioning activity rather than immediate disruption campaigns.
Healthcare: Highest Cost Per Incident Across All Sectors
Healthcare IoT breaches carry the highest per-incident cost of any sector, averaging approximately $10 million per event. That figure reflects the compounding consequences of IoT compromise in clinical environments: ransomware affecting radiology equipment or infusion pump networks doesn’t merely encrypt data; it forces patient diversions, delays time-sensitive procedures, and triggers regulatory investigations that extend the financial impact well beyond the initial ransom demand.
The attack surface in healthcare has expanded with the adoption of IoMT devices, remote patient monitoring systems, connected diagnostic equipment, and networked medication management platforms. These devices are typically purchased for clinical function, procured outside standard IT security review processes, and integrated into networks that weren’t designed with their security posture in mind. The combination of high operational criticality, weak baseline security, and limited visibility makes healthcare IoT among the most attractive targets for ransomware operators seeking maximum leverage.
Education: 861% Surge, The Largest Sector Jump Recorded
Education recorded the single-largest year-over-year increase in IoT malware activity among the sectors Zscaler tracked, at 861%. The structural explanation is straightforward: schools and universities have deployed IoT devices at scale- smart boards, environmental sensors, access control systems, student devices- against security budgets and staffing levels that bear no proportional relationship to that expanded attack surface. Campus networks are large, loosely segmented, and administered by teams that typically lack dedicated OT or IoT security expertise.
The threat profile in education is predominantly opportunistic, DDoS attacks knocking institutions offline, botnet recruitment of poorly secured campus devices, and credential harvesting from student and faculty systems. These are not targeted campaigns in the way manufacturing or energy attacks often are. They are volume-based operations that capitalize on easy access and low defensive friction.
Government and Smart Cities: 370–410% Increases in Civic Infrastructure
Government IoT environments saw approximately 370% growth in malware activity in 2025, with construction and smart city infrastructure recording increases of around 410%. Traffic management systems, public CCTV networks, municipal WiFi, and connected public safety equipment represent a category of IoT deployment that has expanded rapidly with limited security governance frameworks in place.
A documented 2025 incident in which Mirai malware compromised a city’s IoT traffic camera network, using it for cryptomining rather than causing physical disruption, clearly illustrated the vulnerability. The outcome was operationally benign, but the access gained was not. An attacker with persistent access to traffic management or emergency services infrastructure has options that extend well beyond mining cryptocurrency. Governments have responded by becoming vocal advocates for IoT security standards, partly because the consequences of civic IoT failure are uniquely public and physically manifest in ways that enterprise breaches are not.
The Cross-Sector Pattern
The sector-by-sector data from 2025 reflects a single underlying dynamic: IoT adoption has consistently outpaced security investment across every industry category, and attackers have calibrated their targeting to exploit that gap wherever it is deepest. Manufacturing offers high ransomware leverage. Energy offers infrastructure disruption potential. Healthcare offers life-safety pressure. Education offers volume and low friction. Government offers persistence and public impact. Each sector presents a different risk profile, but the common denominator across them is the deployment of connected devices built for operational efficiency and hardened, if at all, as an afterthought.
Notable Incidents and Case Studies: Late 2025 – Early 2026
The statistics in the preceding sections describe aggregate trends. The incidents below describe what those trends look like when they resolve into specific operations, each one illustrating a distinct attack model, from mass botnet recruitment to state-level network infiltration.
Kimwolf Android Botnet: 2 Million Devices, 29.7 Tbps
First disclosed in January 2026, Kimwolf is an Android-based botnet that infected over 2 million devices before researchers publicly documented it. Its primary propagation vector is the Android Debug Bridge, a developer interface that ships enabled on a significant portion of Android smart TVs and streaming boxes, intended for factory testing and never disabled before consumer sale. Kimwolf exploits that open port to establish persistent access, then enrolls the device into its infrastructure.
Kimwolf’s operational scope is broad. Its operators have monetized the botnet through at least three revenue streams: pay-per-install of unwanted applications, sale of residential proxy bandwidth from compromised devices, and DDoS-for-hire services. Evidence links Kimwolf to the 29.7 Tbps attack documented in late 2025, one of the largest volumetric attacks on record. That a consumer Android TV box can serve as the compute node behind record-setting infrastructure attacks is the operational reality Kimwolf makes concrete. The debug port left open at the factory is the entry point. The living room entertainment device is the weapon.
DKnife: A State-Linked AiTM Framework Targeting Router Infrastructure
In February 2026, Cisco Talos published research exposing DKnife, a malicious toolkit operated by a China-linked threat group, designed specifically to compromise routers and gateway devices and use them as adversary-in-the-middle interception platforms. Once a DKnife implant is installed on a router, it can inspect and manipulate all traffic passing through that device in real time. Unencrypted communications, which, as noted earlier, represent approximately 98% of IoT device traffic, are fully readable and modifiable.
The documented use cases for DKnife include hijacking software update channels to insert backdoors into legitimate application installations, with ShadowPad among the malware delivered via that method. The campaign’s targeting profile, phishing infrastructure for Chinese-language email services, and modules specifically designed for WeChat traffic interception point to an espionage operation targeting Chinese-speaking users and organizations. The broader significance extends beyond the specific targets: DKnife demonstrates that controlling an edge device is a viable alternative to directly compromising endpoints. By owning the router, an attacker gains visibility into an entire network segment without touching the servers or workstations on it. DKnife complements Salt Typhoon; both follow the same strategic logic applied at different points in the network stack.
TOTOLINK EX200: The Forever-Day Vulnerability Problem
In January 2026, CERT researchers disclosed an unpatched firmware vulnerability in the TOTOLINK EX200 range extender, a device with substantial deployment in home and small-business environments. The flaw allows an attacker who has already authenticated to the device’s web interface to trigger an unauthenticated root telnet service, granting full administrative control. The manufacturer had not released a patch at the time of the advisory. As of the disclosure date, the vulnerability remained open on every affected device in the field.
This is the defining characteristic of what researchers call “forever-day” vulnerabilities: a confirmed flaw publicly documented with no fix available or forthcoming, either because the vendor has deprioritized legacy hardware, lacks the engineering capacity to address it, or has effectively abandoned the product line. The TOTOLINK case is not exceptional. It is representative of a vulnerability class that will produce new disclosures throughout 2026 as researchers systematically audit legacy IoT hardware. Each disclosure produces the same outcome: a known exploit, thousands of exposed devices, and no remediation path for end users who cannot replace hardware on short notice. CISA’s directive requiring federal agencies to remove unsupported IoT edge devices from their networks is a direct policy response to exactly this failure mode.
Salt Typhoon: IoT Infrastructure as a Geopolitical Attack Surface
Salt Typhoon is not an IoT attack in the consumer device sense. Still, its inclusion here is deliberate; it establishes the upper bound of what IoT-class infrastructure compromise enables at nation-state scale. Disclosed in late 2025 and attributed to Chinese state-sponsored actors, Salt Typhoon was a systematic compromise of telecommunications network equipment- the routers, switches, and appliances that carry cellular and internet traffic- across more than 200 organizations and telecom carriers in 80 countries.
The access that the compromise provided was not limited to data exfiltration. Attackers with persistent implants in telecom routing infrastructure could intercept phone calls, track mobile device geolocation, and monitor communications at the carrier level rather than the endpoint level, surveillance that cannot be countered by endpoint encryption because it operates below the point where encryption is applied. U.S. officials characterized Salt Typhoon as one of the most serious telecommunications security incidents in the country’s history. Senate hearings in early 2026 pressed carriers on their detection timelines and remediation status.
Salt Typhoon’s relevance to the IoT threat landscape is the strategic precedent it establishes. The network appliances compromised in that campaign- edge routers, VPN concentrators, telecom switching equipment- are IoT-class devices by architecture: embedded operating systems, limited patch support, deployed at scale with minimal ongoing security monitoring. The same systemic weaknesses that make a home router vulnerable to Mirai made carrier-grade network equipment vulnerable to a nation-state persistent access campaign. The difference is in targeting intent, not in the technical mechanism.
What These Cases Have in Common
Kimwolf, DKnife, TOTOLINK, and Salt Typhoon represent four distinct attack models- mass botnet recruitment, state-linked interception infrastructure, legacy vulnerability exploitation, and geopolitical network compromise- but they share a single structural dependency: each one is made possible by IoT devices that were deployed without adequate security controls and left unmonitored in production environments. The attacker innovation in each case is real, but it is built on a foundation of defensive negligence that has been documented and addressable for years. The incidents will continue to escalate in scale and consequence until the deployment standards change.
Here’s the rewritten closing section, speculative hedges cut, “unfortunately” and “on the positive side” removed, sub-headers sharpened, regulatory detail tightened, and the closing graf reframed as a hard strategic statement rather than a hopeful outlook.
Looking Ahead: Emerging Risks and Defenses in 2026
The conditions that produced 2025’s threat escalation are not stabilizing; they are compounding. The IoT device count is projected to reach 40 billion or more by 2030, up from approximately 18 billion in 2025. Each new device added to that base extends the attack surface, and the majority will ship with the same structural security failures, default credentials, limited patch support, and unencrypted communications that define the current threat landscape. The trajectory is not one of a problem being solved. It is one of a problem being scaled.
Against that backdrop, four dynamics will define how the IoT security environment develops through 2026 and into the years immediately following.
AI-Augmented Attack Automation
Defenders have used machine learning for network anomaly detection for several years. The same capability is now being applied on the offensive side. Malware that can dynamically adapt its payload to different device architectures, automated scanning tools that use AI to identify exploitable patterns faster than conventional scripts, and AI-assisted vulnerability discovery in firmware images are all documented or in active development by threat actors. The scale of IoT makes automation a prerequisite on both sides; there is no human-speed method for monitoring billions of devices or for attacking them at the volumes observed in 2025. The arms race between AI-augmented attack automation and AI-augmented defense is already underway. The current advantage lies with the attacker, who must succeed once across a vast target surface, while the defender must succeed continuously.
IT/OT Convergence as a Ransomware Acceleration Vector
The convergence of IT and OT environments, already well underway in Manufacturing, energy, and healthcare, is the structural condition that makes industrial IoT attacks disproportionately damaging. A ransomware operator who can propagate from an IT network into an OT environment doesn’t just encrypt data; they can halt physical production, turn off safety systems, or trigger equipment shutdowns that carry consequences well beyond the cost of the ransom itself. Manufacturing downtime in large facilities runs to millions of dollars per day. Pipeline shutdowns carry regulatory and safety implications. Hospital equipment failures directly affect patient outcomes.
Ransomware groups calibrate their targeting to leverage, and industrial IoT environments offer the highest leverage-to-effort ratio currently available. The operational pattern established in 2024 and 2025, ransomware campaigns that specifically sought OT propagation pathways, will continue to develop in 2026. Network segmentation that creates a hard boundary between IT and OT environments, combined with incident response planning that explicitly accounts for cyber-physical scenarios, is the primary mitigation. Most organizations have not implemented either at sufficient depth.
Regulatory Baselines: The Shift from Voluntary to Mandatory
2026 is the first year in which meaningful IoT security regulation is moving from policy to enforcement in major markets simultaneously. The EU’s Cyber Resilience Act establishes mandatory security requirements for connected devices sold in European markets, including unique device credentials, mandatory patch support timelines, and vulnerability disclosure obligations for manufacturers. NIS2 extends security obligations to a broader range of operators of essential services, explicitly covering IoT-dependent sectors. In the United States, a national IoT security labeling program is advancing, a consumer-facing rating system for IoT product security analogous in concept to energy efficiency labeling, designed to shift procurement decisions toward more secure hardware.
These frameworks target the root cause rather than the symptom. The fundamental problem in IoT security is not that users fail to configure their devices correctly; it is that devices are manufactured and sold with security postures that make correct configuration either impossible or irrelevant. Mandatory baseline requirements, unique factory credentials, defined patch support windows, and disclosed vulnerability response processes address the manufacturing incentive structure that has produced the current installed base of insecure hardware. Whether enforcement keeps pace with deployment speed is the open question for 2026. The regulatory frameworks exist. The compliance timelines and enforcement mechanisms will determine whether they change outcomes.
Zero Trust as the Operational Response to an Uncontrollable Perimeter
The assumption that IoT devices can be fully secured at the endpoint level is not operationally viable, particularly for legacy hardware with no patch path, devices running firmware that cannot be modified, or equipment categories where installing endpoint security agents is architecturally impossible. Zero Trust provides a framework that remains effective when endpoint security cannot be guaranteed: treat every device as potentially compromised, limit what each device can access, and continuously monitor behavior for deviations from established baseline patterns.
Applied to IoT environments, Zero Trust translates into specific architectural decisions. Network segmentation isolates IoT devices on dedicated VLANs or microsegments, containing the blast radius of a compromise. Strict access controls define precisely which systems each device class is permitted to communicate with; an IP camera has no legitimate reason to reach a financial system or a domain controller. Continuous behavioral monitoring, implemented with agentless tools that observe network traffic without requiring software installation on the device, provides the visibility layer. Lateral movement, the technique that turns a single compromised camera into a network-wide intrusion, is the specific threat that Zero Trust architecture is designed to interrupt. Zscaler’s 2026 advisory framework explicitly names East-West traffic monitoring and IoT/OT network segmentation as the two highest-priority defensive controls for the current threat environment.
The Actual State of the Problem in 2026
The regulatory frameworks are real. The defensive architectures are well-understood. The technology to implement Zero Trust, network segmentation, and behavioral monitoring is available and commercially available. None of that changes the underlying condition: the majority of IoT devices currently in production deployment were not built to be secured, are not being actively monitored, and will not receive the firmware updates that would close their known vulnerabilities. The 2025 statistics- 820,000 daily attacks, a 124% malware surge, and sector-by-sector escalation- are not the result of attacker sophistication outpacing defensive capability. They are the result of a deployment base that was never built to be defended at scale.
The question for 2026 is not whether better IoT security is technically achievable. The question is whether the combination of regulatory pressure, insurance requirements, and high-profile incident fallout will move procurement and manufacturing decisions quickly enough to change the installed base before the attack surface doubles again.
How Long Do Hackers Stay Inside IoT Networks?
The most consequential metric in IoT security is not how frequently attacks occur. It is how long they go undetected after they succeed. Traditional IT compromises are typically discovered within days or weeks; endpoint detection tools, SIEM alerts, and user-reported anomalies create multiple detection pathways that compress dwell time. IoT environments offer none of those pathways. Compromises in connected device infrastructure routinely persist for months and, in documented cases, have remained undetected until an attacker chose to act visibly, triggering ransomware, launching a DDoS campaign, or causing an operational disruption that forced the infected device into view.
That gap between compromise and detection is not a measurement problem. It is a structural feature of how IoT devices are built and deployed.
Why IoT Environments Are Designed for Attacker Persistence
Most IoT devices are headless: no user interface, no local alerts, no mechanism for making anomalous behavior visible to anyone present. They generate minimal logs, and in many cases no logs at all, leaving forensic investigators with little to reconstruct. They are configured for continuous uptime rather than periodic inspection, so reboots and active scanning are avoided to prevent disruption of their primary function. And critically, a compromised IoT device can continue performing that primary function normally while simultaneously operating as an attacker asset. A smart camera keeps streaming. A factory sensor keeps reporting. A router keeps routing. Nothing appears broken because nothing is operationally broken; the device is doing exactly what it was deployed to do and also doing something else entirely.
This is the core distinction from IT endpoint compromise. Malware on a laptop or server typically degrades performance, triggers antivirus alerts, or produces user complaints that initiate investigation. Malware on an IoT device produces none of those signals. The attacker’s presence is silent by default.
The Detection Gap in Practice
Industry data from 2025 and 2026 investigations consistently shows the same detection pattern: compromised IoT devices are not discovered through proactive monitoring. They are discovered as downstream consequences of something else: a ransomware event elsewhere on the network traced back to an infected gateway, a DDoS attack an ISP flags as originating from internal infrastructure, or anomalous outbound traffic volumes that trigger a firewall alert weeks after the initial compromise. IoT breaches are rarely the first to sound the alarm. They are the silent precondition that made the first alarm possible.
In multiple documented investigations, security teams working backward from a visible incident found that the initial IoT compromise had occurred months prior. The attacker had used that time to map the internal network topology, harvest credentials as they passed through compromised routers or gateways, establish persistence across multiple devices, and move laterally into IT and OT systems, all before triggering any detection event. By the time the response team was engaged, the attacker’s access was no longer limited to the IoT device where entry was made.
Dwell Time as a Risk Multiplier
Extended dwell time does not simply mean that an attacker is present for a longer period. It means the scope of what they can accomplish expands continuously while the defender remains unaware. A compromised router that goes undetected for three months is not three months of static access; it is three months of credential harvesting from every unencrypted session that passed through it, three months of internal network reconnaissance, three months of lateral movement opportunity into adjacent systems. In manufacturing and healthcare environments specifically, that window allows an attacker to observe operational patterns in detail, learning shift schedules, production cycles, and system interdependencies, so that when disruption is eventually deployed, it is timed and targeted for maximum impact rather than opportunistic.
This is the mechanism by which large-scale incidents that appear to originate in IT infrastructure turn out, on investigation, to have started in IoT. A single compromised camera, sensor, or gateway becomes the launchpad. The IT breach is the visible event. The IoT compromise was the months-long preparation that enabled it.
Why the Problem Is Worsening in 2026
Four converging trends are extending average IoT dwell time rather than compressing it. Device counts are growing faster than the security team’s capacity to monitor them, widening coverage gaps with each deployment cycle. Legacy hardware that cannot be patched or replaced remains online and unmonitored, providing persistent low-visibility footholds. Encrypted traffic, increasingly common even in IoT environments, obscures malicious behavioral patterns inside flows that appear legitimate. And security tooling across most organizations remains oriented toward IT endpoints: EDR platforms, SIEM integrations, and threat-hunting workflows built for servers and laptops provide limited to no visibility into the behavior of a smart thermostat or an industrial gateway.
Attackers have internalized this visibility gap as a structural advantage. The implicit bet underlying most IoT-targeted campaigns in 2026 is straightforward: the target organization is not watching these devices closely enough to detect persistence, and will not discover the compromise until the attacker decides to act. Recent incident data does not suggest that bet is frequently wrong.
Reducing Dwell Time Is the Leverage Point
Eliminating IoT compromise is not a realistic near-term objective given the scale of the deployed base and the structural security failures embedded in it. Reducing dwell time is. Network segmentation limits lateral movement, containing the blast radius of a compromise that has already occurred. Agentless behavioral monitoring tools that observe IoT device traffic patterns without requiring software installation on the device itself provide the visibility layer these environments currently lack. Anomaly detection calibrated to IoT baselines can identify the reconnaissance and credential-harvesting activity that precedes the visible damage event, surfacing the compromise during the attacker’s preparation phase rather than after they have acted.
The implication is direct: for most organizations, the question is not whether an IoT device on their network has been compromised. Given the attack volumes documented in 2025 and the structural invisibility of IoT compromise, the more operationally useful question is how long ago it happened and how far the access has spread since then. The organizations that reduce dwell time are the ones that answer that question before the attacker does.
How Mature Is Your IoT Security Program?
IoT security maturity is not evenly distributed, even within the same industry. Two organizations deploying similar connected device infrastructure can carry radically different risk profiles depending on how much visibility they have into device behavior, how well their network architecture contains lateral movement, and how deeply IoT is integrated into their broader security operations. Understanding where an organization actually sits on that spectrum, rather than where its security policy documents suggest it should, is the precondition for any meaningful improvement.
The following maturity model describes five distinct operational states, from complete absence of IoT visibility to full Zero Trust integration. Most organizations fall somewhere in the first three levels. Most attackers are operating as though their targets are at the fourth or fifth.
Level 0: No Visibility
At this level, the organization lacks a reliable inventory of its IoT devices. Devices have been added by facilities teams, third-party vendors, or individual business units without IT or security team awareness. There is no systematic distinction between IoT, IT, and OT assets on the network. Security teams typically discover devices exist only after an incident forces the question.
This is the environment in which shadow IoT thrives. Attackers who compromise a device in a Level 0 environment face virtually no detection risk, since it isn’t being monitored because no one has confirmed its existence. Footholds established at this level can persist for months or years without triggering any response, precisely because there is no baseline from which to detect deviation.
Level 1: Basic Inventory
Organizations at this level have completed the first defensive step: they know, with reasonable confidence, which IoT devices are on their network. Asset discovery tooling or manual inventory processes have produced a classified list of cameras, sensors, routers, and medical devices, along with basic ownership and location tracking.
Inventory is necessary but not sufficient, and this is where many programs stall. Knowing a device exists does not provide insight into how it is behaving, whether its firmware is up to date, or whether it has already been compromised. At Level 1, devices are visible but not monitored. Compromises still go undetected for extended periods because the inventory answers the question of what is present, not what it is doing.
Level 2: Network Segmentation
Level 2 organizations have moved from observing their IoT environment to architecturally constraining it. IoT devices are isolated from core IT systems through VLANs or microsegmentation. East-west and north-south traffic is restricted to what each device class legitimately requires. Least-privilege network access is enforced, meaning a connected camera cannot reach financial systems or domain controllers regardless of whether it has been compromised.
Segmentation is the most impactful single architectural control available for IoT environments because it directly addresses the mechanism by which most IoT compromises escalate into enterprise-wide incidents. A compromised device in a segmented environment is still compromised, but its value as a lateral-movement platform is sharply limited. The attacker who owns a camera in a Level 2 network owns that camera. The attacker who owns a camera on a Level 0 or 1 network has a potential path to every system the camera can reach.
Level 3: Behavioral Monitoring
This is the threshold at which IoT security becomes proactive rather than reactive. Organizations at Level 3 have established behavioral baselines for their device populations and are continuously monitoring for deviations from those baselines. Unusual traffic patterns, protocol misuse, unexpected outbound destinations, and anomalous data flows generate alerts that trigger investigation.
IoT devices are operationally predictable in a way that general-purpose computing endpoints are not. A temperature sensor has a defined communication pattern; it sends readings to a specific endpoint at a defined interval. Any departure from that pattern is a meaningful signal. That predictability, which makes IoT devices operationally reliable, also makes behavioral anomaly detection more precise in IoT environments than in IT environments where user behavior introduces significant noise. At Level 3, compromises are identified during the attacker’s reconnaissance and persistence phase rather than after they have acted, which is the detection timing that prevents the extended dwell times documented in the previous section.
Level 4: Zero Trust Integration
At the highest maturity level, IoT security is not a separate program; it is integrated into the organization’s broader Zero Trust architecture. Every device is treated as untrusted by default regardless of its network position. Device identity and behavior are continuously verified. Access policies are dynamic and automatically adjust based on real-time risk signals. Devices exhibiting anomalous behavior are automatically isolated or have their access scoped down before human review completes. SOC, SIEM, and incident response workflows are fully instrumented for IoT events.
The operational outcome at this level is not that compromise becomes impossible. It is that successful compromises are short-lived, spatially contained, and expensive for the attacker to exploit. The dwell time advantage that makes IoT attacks so damaging at lower maturity levels is eliminated because detection and response happen faster than the attacker can convert access into impact.
The Maturity Gap and Its Consequences
The practical reality in 2026 is that most organizations operate at Levels 0-2, while threat actors are calibrating their operations on the assumption that targets lack deep IoT visibility. That mismatch, between where defensive programs actually are and where attackers assume they will be caught, is the direct cause of the extended dwell times, high ransomware success rates, and operational disruptions documented across 2025 and into 2026. It is also a compounding liability: organizations without IoT visibility face increasing scrutiny from cyber insurers and regulators who have begun treating IoT security posture as a material risk factor rather than a secondary consideration.
Moving from Level 0 to Level 1 requires asset discovery. Moving from Level 1 to Level 2 requires architectural decisions about network design. Moving from Level 2 to Level 3 requires investment in behavioral monitoring tooling and the operational processes to act on its output. Each transition reduces the attacker’s operational advantage in a specific and measurable way. None of them requires solving the entire IoT security problem simultaneously.
The organizations most likely to experience the most damaging IoT incidents in 2026 are not necessarily those with the most complex device environments. They are the ones who do not know which level they are at, because that uncertainty itself is the answer.
The Real Cost of an IoT Breach in 2026
Ransom payments dominate IoT breach coverage because they are the most legible cost, a specific number, demanded and either paid or refused, that fits cleanly into an incident report. They are also, in most cases, among the smaller financial consequences of a serious IoT compromise. The costs that determine whether an organization recovers quickly or spends years managing fallout are the ones that don’t appear in the initial ransom demand: physical downtime, regulatory exposure, insurance restructuring, infrastructure replacement, and the erosion of customer and partner trust that follows a breach affecting physical operations or safety.
For security leaders building the business case for IoT investment, these secondary and tertiary costs are the relevant numbers. Ransom prevention is a subset of the problem. Business continuity is the full scope of it.
Physical Downtime: The Cost That Starts Immediately
IoT breaches in operational environments result in physical disruption in ways that most IT incidents do not. A compromised industrial controller can halt a production line. Ransomware affecting connected medical devices forces hospitals to divert patients and delay procedures. Utilities throttle services to isolate infected systems and prevent cascading failures. In each case, the business impact begins the moment the affected system goes offline, not when the ransom note appears.
Downtime costs in industrial environments range from tens of thousands to millions of dollars per hour depending on sector and production volume, and those figures compound across supply chain obligations, contractual penalties, and safety validation requirements that must be completed before systems can be restarted. Unlike a compromised laptop that can be reimaged in hours, many IoT devices cannot be restored remotely, require physical access to replace, and in critical infrastructure contexts require formal safety recertification before returning to service. The gap between initial compromise and full operational recovery is measured in days or weeks, not hours, and every hour in that gap carries a direct financial cost that dwarfs most ransom demands.
Regulatory Fines and Legal Exposure
The regulatory environment surrounding IoT security changed materially in 2025 and 2026. NIS2 in the EU imposes mandatory security requirements on operators of essential services, including breach notification timelines and potential fines for demonstrated negligence. GDPR liability attaches when compromised IoT devices expose personal or location data, a category that covers everything from connected medical equipment to building access systems. HIPAA enforcement applies directly to IoMT device compromises in healthcare environments. Industry-specific safety mandates add further layers in Manufacturing, energy, and transportation.
Regulators in 2026 are no longer receptive to “unknown device” explanations. The absence of basic controls, inventory, segmentation, and monitoring is increasingly treated as negligence rather than oversight, particularly for organizations in regulated sectors that have had years of guidance on IoT security requirements. The legal exposure compounds beyond regulatory fines: class-action lawsuits following breaches that affect customers or patients, contractual breach claims from partners whose operations were disrupted, and regulatory investigations that can run for months or years after the initial incident is resolved. For many organizations, the compliance and legal consequences of an IoT breach far outlast the operational disruption.
Cyber Insurance: The Structural Financial Consequence
A serious IoT breach not only affects the claim that follows but also reshapes the organization’s insurance position in the future. Insurers responding to IoT-related claims are increasingly applying post-incident requirements that condition policy renewal on demonstrated security improvements: mandatory network segmentation, IoT device inventory attestation, behavioral monitoring capability, and incident response procedures specific to OT environments. Organizations that cannot satisfy those requirements face higher premiums, reduced coverage limits, or exclusions that explicitly carve out IoT and OT environments from future coverage.
The underwriting questions insurers now ask during renewal- what IoT device visibility does the organization have, how is the network segmented, what monitoring is in place- are direct assessments of maturity level. Organizations operating at Level 0 or Level 1 of the maturity model described in the previous section are increasingly finding that their security posture makes comprehensive coverage either prohibitively expensive or structurally unavailable. That is a long-term financial consequence that does not appear in breach statistics but directly affects the organization’s risk transfer capacity for years after the incident.
Device Replacement and Infrastructure Recovery
IoT devices are not general-purpose computing endpoints. They cannot be reimaged from a central management console, restored from backup, or replaced by ordering a standard SKU from a hardware catalog. Many are physically embedded in walls, machinery, or infrastructure. Many run firmware that has not been updated since installation and for which no current patches exist. Many are end-of-life hardware that the manufacturer no longer supports.
Following a significant IoT breach, organizations are frequently forced to replace large portions of their device inventory rather than remediate in place, either because the devices cannot be cleaned reliably, because they are running unsupported firmware that makes them immediately re-vulnerable, or because insurers or regulators require it as a condition of recovery certification. In large-scale environments- factories, hospital campuses, smart city infrastructure- those replacement programs cost millions of dollars and take months to execute. The capital expenditure arrives unbudgeted, competes with planned investment cycles, and extends the operational disruption well beyond the initial incident window.
Reputational Damage and Loss of Trust
The least quantifiable cost of an IoT breach is also, in many cases, the most durable. When a compromise affects physical safety, a medical device failure, a manufacturing accident enabled by compromised equipment, or a utility disruption affecting residential customers, the reputational damage persists long after the technical recovery is complete. Customers, patients, partners, and regulators do not reset their risk assessments when the incident is closed. They recalibrate their relationship with the organization based on what the breach revealed about its security posture and its transparency in response.
For consumer-facing IoT product manufacturers, a single documented compromise can permanently alter customer perception of the product category. For healthcare providers, a breach affecting connected devices raises patient safety concerns that survive years of subsequent investment in security improvements. For industrial operators, partners, and clients in the supply chain, they apply their own risk assessments to the relationship, sometimes triggering contract reviews or procurement changes that have a sustained revenue impact. These consequences do not appear in the cost column of an incident report. They appear in customer retention figures, contract renewals, and partnership terms, often quarters or years after the incident that caused them.
Reframing IoT Security as a Business Risk
The financial structure of an IoT breach in 2026 is not primarily defined by what attackers demand. It is defined by how deeply the compromise disrupts operations, how extensively it triggers regulatory and legal consequences, how significantly it restructures the organization’s insurance position, and how durably it affects trust with customers, partners, and regulators. Each of those cost categories scales with the maturity gap described in the previous section: organizations with poor IoT visibility, absent segmentation, and no behavioral monitoring face larger blast radii, longer dwell times, and more extensive recovery requirements than organizations that have invested in progressive security controls.
Ransom prevention is a narrow frame for a broad business problem. The security investment case for IoT is most accurately built around downtime costs, regulatory exposure, insurance positioning, and reputational risk, not around the probability of a specific ransom demand. For organizations where leadership still treats IoT security as a technical concern rather than an operational and financial one, the 2025 incident record provides the reframing: the companies that experienced the most damaging IoT breaches in the past year were not primarily harmed by what attackers demanded. They were hurt by how long the attacker was already inside before anyone noticed.
Biggest IoT Security Risks and Vulnerabilities in 2026
The most dangerous IoT security vulnerabilities in 2026 are not discoveries. They are structural failures that have been present in connected devices for over a decade, remain unresolved at the manufacturing level, and are now operating at a scale that makes their aggregate impact larger than ever. The seven vulnerabilities below account for the overwhelming majority of documented IoT compromises in 2025 and remain the dominant risk factors entering 2026.
1. Default and Hardcoded Credentials
Factory-default usernames and passwords, “admin/admin”, “root/root”, and several hundred other combinations that are publicly documented, remain active on a significant portion of deployed IoT devices. Nozomi Networks’ analysis found that brute-forcing default SSH and Telnet credentials was the single leading attack technique across all IoT and OT incidents in their dataset, accounting for 7.4% of all detected malicious actions. A further 5.3% of incidents involved the use of default credentials for lateral movement after initial access was established. OWASP has listed weak, guessable, or hardcoded passwords as the top IoT vulnerability in every edition of its IoT Top 10. The remediation is trivial: change the credential at deployment. The failure rate remains high because there is no enforcement mechanism to require it, and many devices do not prompt users to do so.
2. Unpatched Firmware
IoT devices run lightweight embedded operating systems that typically lack auto-update capabilities. Many receive no firmware updates after production; some run software that the manufacturer has formally end-of-lifed with no replacement patch available. Mirai-family malware, which accounted for approximately 40% of all IoT malware payloads observed by Zscaler in 2025, exploits this by targeting CVEs that were publicly disclosed and patched years ago but remain exploitable on devices that have never been updated. The practical consequence is that a vulnerability disclosed in 2016 remains an active attack vector in 2026 on any device that hasn’t been updated, and a large portion of deployed hardware falls into that category. CISA’s 2026 directive requiring federal agencies to remove unsupported IoT edge devices from their networks is a direct acknowledgment that unpatched firmware at scale is not a manageable risk; it is an unacceptable one.
3. Unencrypted Communications
Approximately 98% of IoT device traffic is transmitted in plaintext. Credentials, commands, sensor readings, and operational data move across networks without encryption, making them fully readable to any attacker with network access. This exposure enables man-in-the-middle attacks without requiring any cryptographic attack capability; the attacker simply reads traffic that was never protected. In industrial environments, the problem extends to the protocol layer: Modbus, BACnet, and EtherNet/IP, the dominant protocols in industrial IoT, were designed for closed operational networks and carry no authentication or encryption. Attacks abusing OT protocols jumped 84% in 2025, with Modbus-targeting activity rising 57%, as attackers recognized that industrial devices implicitly trust any traffic that speaks their protocol correctly.
4. Insecure or Absent APIs
IoT devices communicate with cloud management platforms, mobile applications, and third-party services through APIs that are frequently implemented without adequate authentication controls, input validation, or rate limiting. Insecure APIs allow attackers to query device data, issue commands, or extract credentials without compromising the device itself; access is obtained through the management interface rather than the hardware. The cloud-side attack surface is particularly significant because a single API vulnerability can expose every device registered to that platform simultaneously, scaling a single exploit across millions of endpoints. Forescout’s telemetry found that cloud-based attacks on IoT management infrastructure increased in proportion to IoT adoption in 2025, as attackers recognized that targeting the platform is more efficient than targeting individual devices.
5. No Update or Patch Mechanism
A distinct vulnerability of unpatched firmware is the complete absence of an update mechanism, meaning devices cannot receive patches even if the manufacturer issues them. A significant portion of deployed IoT hardware was manufactured without over-the-air update capability, without a defined support lifecycle, or by vendors that have since ceased operations. These devices cannot be remediated through software. The only resolution is physical replacement, which, in large-scale deployments such as factories, hospitals, and smart city infrastructure, involves capital expenditure, operational disruption, and project timelines measured in months. In 2026, this category represents the largest single source of permanently unresolvable IoT risk: known vulnerabilities, no fix path, and continued deployment because replacement has not been prioritized or budgeted.
6. Excessive Device Permissions and Poor Network Segmentation
Most IoT devices are deployed with access to far more of a network than their function requires. A smart thermostat has no legitimate need to communicate with a domain controller. An IP camera has no operational reason to reach a financial database. Yet in the majority of enterprise environments, IoT devices sit on flat networks with unrestricted lateral movement capability, meaning a compromised device can reach any other system on the same network. Forescout’s research found that the absence of network segmentation is the primary reason IoT compromises escalate into enterprise-wide incidents: the initial device compromise is contained to one piece of hardware, but the lack of architectural boundaries allows the attacker to move freely from there. In 2025, the most damaging IoT incidents, those resulting in ransomware deployment across entire organizations, consistently followed a pattern of initial IoT compromise followed by lateral movement through unsegmented networks.
7. Supply Chain and Pre-Deployment Compromise
The most difficult IoT vulnerability to defend against post-purchase is compromise that occurs before a device is ever deployed. BadBox 2.0 demonstrated this at consumer scale: over 10 million Android-based smart TVs and streaming boxes shipped with pre-installed malware, enrolled in botnet infrastructure before the user connected them to any network. Beyond consumer hardware, firmware backdoors embedded during Manufacturing have been identified in industrial and network infrastructure devices. Supply chain compromise bypasses every post-deployment security control; device inventory, network segmentation, behavioral monitoring, and credential management are all ineffective against a device that was malicious before it arrived. As governments push Secure-by-Design manufacturing requirements in 2026, supply chain integrity is emerging as both a regulatory priority and a procurement risk that organizations cannot assess without direct visibility into their vendors’ manufacturing and distribution security practices.
IoT Security Vulnerability Statistics at a Glance
| Vulnerability | Key Stat | Source |
|---|---|---|
| Default credentials | 7.4% of all IoT malicious actions are credential brute-force | Nozomi Networks, 2025 |
| Unpatched firmware | Mirai variants = ~40% of all IoT malware payloads | Zscaler ThreatLabz, 2025 |
| Unencrypted traffic | 98% of IoT device traffic transmitted in plaintext | Industry telemetry, 2025 |
| OT protocol abuse | OT protocol attacks up 84%; Modbus up 57% | Forescout, 2025 |
| Network segmentation absence | Primary escalation factor in enterprise IoT breaches | Forescout, 2025 |
| Supply chain compromise | 10M+ devices pre-infected via BadBox 2.0 | FBI / researchers, 2025 |
| Healthcare IoT breach cost | Average $10M per incident — highest of any sector | Industry reports, 2025 |
Conclusion
The data from 2025 and early 2026 does not point toward a stabilizing threat environment. It points toward one that is expanding in volume, deepening in sophistication, and broadening its reach across industries and geographies. 820,000 attacks per day. A 124% surge in IoT malware. A 459% escalation in energy sector targeting. An 861% jump in attacks against education. These are not anomalies from a single bad year; they are the output of structural conditions that have been building for over a decade and are now operating at scale.
The devices absorbing the majority of that activity- routers, IP cameras, industrial sensors, connected medical equipment- are the same devices that sit at the operational center of modern enterprises, hospitals, factories, and public infrastructure. The convergence is not coincidental. Attackers target IoT. It is consequential, poorly defended, and because the dwell-time advantage it offers converts a single compromised device into months of undetected access. The sectors experiencing the steepest escalation are those where IoT adoption has outrun security investment most dramatically, and where the consequences of disruption extend beyond financial losses into physical operations and public safety.
For security and business leaders, the statistics in this report are not background context. They are the operating environment. Every organization with a network footprint almost certainly has IoT devices on or adjacent to it, devices that may not appear in any inventory, may be running firmware that has not been updated since installation, and may already be serving as footholds for activity that has not yet triggered a visible event. The question of whether an organization’s IoT environment will be targeted is settled by the volume of data. The questions that remain are whether the compromise will be detected before it propagates, whether the network architecture limits its spread, and whether the response capability exists to contain it before it becomes an operational incident.
The defensive priorities that follow from the 2025 and 2026 data are not complex. Credential hygiene eliminates the single largest attack vector. Network segmentation limits the blast radius of every compromise that occurs despite that hygiene. Behavioral monitoring compresses dwell time, the risk multiplier that converts a device-level compromise into an enterprise-wide breach. These controls do not require solving the entire IoT security problem simultaneously. They require progressively reducing the attacker’s advantage at each stage of the kill chain, starting with the stage that is currently providing the most leverage.
The connected device ecosystem will be larger in 2027 than it is today, and larger still in 2030. The attack surface is not contracting. The organizations that will navigate that environment without a catastrophic incident are those that treat IoT security as an operational discipline with measurable maturity levels and defined improvement targets, not as a compliance checkbox or a problem deferred to the next budget cycle. The 2025 statistics establish the baseline; what the 2026 data shows will depend on whether defensive investment keeps pace with the threat, or whether the gap continues to widen.
