As Internet of Things devices proliferate across corporate networks, a persistent flaw—default credentials and lax security protocols—is turning everyday gadgets into gateways for cybercriminals. Experts from IoT Insider caution that these vulnerabilities leave businesses perilously open, especially as device counts swell to nearly 20 billion online in 2025.

Many IoT gadgets arrive with factory-set logins like ‘admin/admin’ or ‘1234,’ which users rarely alter. Combined with exposed remote access and open ports, these invite brute-force assaults via automated tools. Teltonika Networks highlights how identical defaults across fleets amplify threats, echoing the Mirai botnet that weaponized insecure cameras and routers for massive DDoS strikes.

Default Credentials Fuel Botnet Armies

Forescout’s 2025 report on riskiest connected devices reveals routers topping vulnerability charts, comprising over 50% of critically exposed systems, with average device risk scores jumping 15% year-over-year to 8.98. “Cybercriminals are ditching traditional endpoints and targeting the devices that keep our hospitals, factories, governments, and businesses running,” warns CEO Barry Mainz in Industrial Cyber. New entrants like universal gateways and building management systems enable lateral movement into core operations.

Palo Alto Networks’ analysis of 27 million devices across 1,803 enterprises uncovers 32.5% operating unmanaged, including IoT like smart TVs and thermostats. Worse, 48.2% of IoT-to-IT connections stem from high-risk endpoints, often on poorly segmented networks where 77.74% fail basic isolation standards, per the 2025 Device Security Threat Report.

Vulnerability Surge Hits Critical Sectors

Weak encryption compounds the issue: 98% of IoT traffic remains readable, skipped for cost reasons, as noted in various 2025 analyses. SentinelOne lists weak authentication as the top risk, with unencrypted transmissions and outdated firmware enabling man-in-the-middle intercepts. A researcher demonstrated this on a Chinese camera, bypassing SSL validation to snag cloud-bound video, detailed in an X thread by Matt Brown of Brown Fine Security.

Statistics paint a dire picture: 820,000 daily IoT attacks, 41% of devices clinging to weak defaults, and botnet infections up 49% year-over-year, according to CompareCheapSSL’s 2026 forecast. Industrial breaches average $4.8–$7.3 million, with manufacturing plants hit hardest at 28% incidence.

Enterprise Networks Become Hacker Playgrounds

Retail leads in average device risk, trailed by finance, government, healthcare, and manufacturing, per Forescout. IoMT devices, like infusion pumps, introduce life-threatening stakes; four new types topped 2025 risk lists. “The 2025 IoT threat landscape is defined by the industrialization of attacks against operational technology,” states Mohammed Khalil in Deepstrike.io, where ransomware surged 46%.

Outdated firmware plagues 33% of IIoT setups, with 47% of devices bearing exploitable CVEs. Unpatched flaws, like those in Apache Log4j, drew 2.7 billion exploit attempts, Palo Alto reports. Supply chain woes add layers, as vendors skimp on verification, per SentinelOne’s top 10 risks.

Attack Vectors Multiply in Shadows

Shadow IoT—unsanctioned devices—grew 41%, with 58% unmanaged in enterprises. Healthcare faces 48% attack growth, medical devices 37% outdated. Energy and vehicles see 37% and 33% rises, respectively. Ransomware now hits vehicles, breaching $10 million in IoMT alone.

Regulators respond: UK’s PSTI Act bans defaults, mandates updates, with £10 million fines. Yet, 36% of firms report incidents, 28% of breaches IoT-sparked. “IoT security is now a board-level concern, tied directly to business resilience,” Khalil adds.

Pathways to Fortified Defenses

Mitigations demand rigor: Enforce password changes, MFA, and certificates over logins. Segment networks via VLANs, firewalls; automate OTA updates, TLS 1.3 encryption. Inventory all assets, monitor with AI for anomalies, as Teltonika urges. Zero-trust verifies every connection, per CompareCheapSSL.

Forescout pushes comprehensive risk management across IT/OT/IoT, avoiding silos. Palo Alto stresses behavioral context over mere counts. SentinelOne advocates RBAC, SIEM logging, and incident drills tailored to IoT scale.

Regulations Reshape Vendor Accountability

Global rules tighten: EU Cyber Resilience Act echoes PSTI, demanding secure-by-design. Businesses must audit suppliers, enforce contracts with security clauses. As devices hit 24 billion by 2026, proactive visibility—scanning for defaults, CVEs—becomes non-negotiable.

Costs underscore urgency: $3.5–$4.2 million per breach, $120,000 hourly downtime. Firms ignoring unmanaged IoT risk regulatory penalties up to $2 million. Transitioning to certificate auth and AI monitoring counters evolving malware, up 58% with worm-like spread.