Since its inception, the Internet of Things (IoT) has kept cybersecurity specialists up at night. As the world becomes increasingly connected, the nature of the IoT security threats has evolved.
The statistics paint a sobering picture of our connected future: according to IBM Threat Intelligence, more than 50 percent of IoT devices have critical vulnerabilities that hackers can exploit right now, while one in every three cyber incidents, according to Verizon, involves at least one IoT device. With 820,000 hacking attempts targeting IoT devices daily—a 46 percent increase from the previous year, and 60 percent of IoT breaches happening due to outdated firmware, the threat landscape has never been more dangerous.
The financial impact is staggering. IoT security failures cost businesses an average of $330,000 per incident, while routers now represent over 50 percent of the most vulnerable devices in enterprise environments. Most concerning is that an estimated 98 percent of all IoT device traffic remains unencrypted, leaving sensitive data completely exposed to interception.
In other words, for managed service providers (MSPs), IoT can mean a lot of sleepless nights.
The persistence of legacy vulnerabilities
Paul Cronin, Co-Founder and Partner at Rootshell Security, tells SmarterMSP.com that organizational inertia drives the core of IoT’s security challenge. “Whilst there is more experience around the vulnerabilities that can be present in IoT devices, there are still a lot of them out there that have not been replaced and still have the same type of security issues that have always been present,” Cronin explains.
The “if it’s not broken, don’t fix it” mentality still plagues IoT deployments, but Cronin notes that things are slowly improving. His particular concern centers on office printers, which he describes as his “pet hate.” These devices “sit in the corner of an office, are not used as much these days, but they run an operating system which in some cases has resulted in them being exploited and used in botnets.”
This concern isn’t theoretical. Security researchers report that hackers have actively exploited recent vulnerabilities in around 750 printer models since July 2025. The problem extends beyond printers to encompass the entire ecosystem of office IoT devices that organizations often overlook in their security assessments.
Cronin highlights several critical examples from 2025, including the Badbox 2.0 malware campaign that targeted smart TVs, tablets, and smart picture frames using open-source Android variants. Meanwhile, numerous CCTV cameras have been identified with exploitable vulnerabilities, raising the question: “How often do these devices get replaced or tested?”
End-of-life Wi-Fi routers present another persistent threat. “Typical end-of-life (EOL) Wi-Fi routers from TPLink which again may not get replaced in the office are now extremely vulnerable,” Cronin notes, referencing recent CISA alerts about critical TP-Link router flaws.
When IoT vulnerabilities strike
Founder and CEO of Project Management Training Institute, Yad Senapathy, brings two decades of Fortune 500 technology experience to bear on the IoT security concern. His perspective combines practical enterprise exposure with extensive risk management expertise gained from training over 80,000 professionals in advanced security standards.
“IoT devices have become one of the most vulnerable points of entry into office networks,” Senapathy tells Smarter MSP. “They are easy to use and lack strong default protection features, making them easy to exploit, thus becoming silent gateways to attackers.”
Senapathy recounts a particularly costly real-world incident: “One time, I explored an office network where hackers had compromised an old printer and used it as a backdoor to secretly scan the internal systems. Their breach resulted in complete access to employee credentials stored on the network and also made the company pay more than $120,000 as recovery and downtime expenses.”
The evolving nature of IoT attacks particularly concerns Senapathy. Modern threats have shifted from simple malware drops to targeting centralized IoT management dashboards that control lighting, HVAC, and access systems. “In the event that such dashboards do not have multifactor authentication (MFA) and logging, attackers can remotely assume control,” he warns.
The physical implications can be devastating. Senapathy describes a ransomware scenario where “attackers turned off badge readers and prevented access to the building until they paid a ransom. The firm had to shut down for two days, costing the company over $300,000 in lost productivity.”
Risk-based prioritization
Shankar Somasundaram, CEO at Asimily, advocates for a fundamentally different approach to IoT security, one that acknowledges the complexity of modern connected environments while providing practical solutions for overwhelmed IT teams. “The biggest IoT security threats we’re seeing this year involve attackers exploiting the security gaps between IoT devices and traditional IT security controls,” Somasundaram explains. Smart building systems encompassing HVAC controllers, lighting networks, conference room technology, and IP cameras are particularly vulnerable because “these devices often ship with default credentials and rarely receive security updates.”
Rather than attempting the impossible task of addressing every potential vulnerability, Somasundaram recommends risk-based prioritization. “Start with passive IoT device discovery to avoid disrupting operations, then segment devices based on exploit risk and business criticality.”
This approach recognizes the operational realities MSPs face. “Traditional vulnerability scanning often fails to capture the complexity of IoT environments, and many devices simply can’t withstand the load of automated scans without going offline,” he notes.
Somasundaram’s recommended strategy focuses on immediate priorities: “Focus patching efforts on internet-facing devices first, and implement automated credential rotation where possible.” This practical approach acknowledges resource constraints while addressing the highest-risk attack vectors.
Strategic action plan for MSPs
The convergence of expert perspectives points to several critical action items for MSPs managing client IoT environments:
- Inventory and assessment: Both Cronin and Senapathy emphasize the fundamental importance of knowing what devices exist on client networks. Passive discovery tools that won’t disrupt operations should be the starting point for any IoT security program.
- Segmentation strategy: All three experts recommend network segmentation as a core defensive measure. Senapathy specifically recommends “isolating IoT devices in separate VLANs” to prevent lateral movement during breaches.
- Regulatory alignment: Cronin highlights the value of incorporating CISA’s Known Exploitable Vulnerabilities (KEV) list into regular vulnerability management processes. “Regular vulnerability management of all devices including IoT devices needs to incorporate the CISA KEV in order to alert clients of where they need to mitigate vulnerabilities.”
- Continuous monitoring: The scale of daily attacks (820,000 attempts per day) demands automated monitoring solutions that can detect anomalous behavior without requiring constant human intervention.
For MSPs, staying ahead of IoT threats means shifting from reactive fixes to smart, proactive defense. That starts with knowing what’s on the network, segmenting devices, and keeping a close eye on the most vulnerable spots. IoT might be a headache today, but with the right strategy, it doesn’t have to be.
Photo: superelaks / Shutterstock
This post originally appeared on Smarter MSP.