Internet of Things (IoT) devices are everywhere, from smart cameras in our offices to sensors on factory floors. While this connectivity promises efficiency, it also dramatically expands our attack surface. Far too many IoT devices are built with minimal security, turning them into easy targets for malware, ransomware and botnets.
Take the alarming case of the BADBOX 2.0 botnet, which, in 2025, infected over a million low-cost Android devices like smart TVs. Many of these devices come with preinstalled malware or are compromised through malicious apps.
This botnet then controls these devices to create residential proxy networks, exploited by cybercriminals for ad fraud, credential stuffing and other illicit activities, all while masking their true origins. Despite disruption efforts, BADBOX 2.0 remains active in over 220 countries. This isn't just a consumer problem; when these uncertified devices connect to corporate networks, they become a significant enterprise liability, putting entire organizations at risk.
Security teams must develop in-depth strategies to tackle growing IoT risks, from procurement to policy development.
Procurement Must Be the Control Plane
Those cheap, connected gadgets infiltrating our networks are not just convenient; they're dangerous. The FBI warns that compromised IoT gear is being abused at scale, even on home and small office networks used for work.
If a vendor can't verify how their updates are signed, detail what's inside the box, or demonstrate accountability for security, that device has no place on your network. It's time to make procurement your unwavering first line of defense.
Stop blindly purchasing opaque hardware. Demand verifiable updates, transparent software bills of materials and accountable support. Allowing uncertified devices onto your work or hybrid home networks isn't just a lapse in judgment; it's an open invitation for criminal activity to flourish in your environment.
Securing the Supply Chain
Inexpensive third-party IoT devices, often with default passwords and unknown components, are ideal for botnet operators and a security team's nightmare. Organizations must treat these devices like any high-risk supplier: define security requirements, validate devices in a lab before purchase and include robust security clauses in contracts, following US National Institute of Standards and Technology (NIST) guidance.
Non-Negotiables for IoT Security
Organizations rely on IoT, but third-party risk is often overlooked. Expect these baseline controls from every vendor:
- Unique device identity: Each device must possess a secure, unchangeable identity for authentication from the initial power on
- Secure & verified updates: Firmware updates need to be secure, thoroughly verified and transparent to prevent system compromises from faulty updates
- Constant identity verification: Devices should continuously authenticate their identity using short-term, rotating credentials
- Eliminate backdoors & default credentials: Default passwords and hidden vendor access are unacceptable. Strong, unique credentials are a fundamental security requirement
- Full software transparency: Vendors are required to provide a comprehensive list of all software components, including any known vulnerabilities
- User control over data: Organizations must be able to manage how and where their device data is transmitted, retaining ultimate control
- Controlled remote access: Any remote access by vendors must be strictly controlled, time limited and fully audited to mitigate significant security risks
- Tamper proof logging: Device logs pertaining to updates, administrative actions and security events must be tamper proof and easily accessible for effective incident response
- Comprehensive lifecycle management: Vendors must commit to support, patch agreements and provide a secure decommissioning process for devices to avoid future vulnerabilities
Each of these items aligns directly with the NIST requirement catalog, providing a strong framework for action. If a vendor cannot meet these fundamental security demands, the device simply should not be onboarded.
Strong Network Guardrails
Proactively secure your network from third-party IoT devices by isolating them, conducting background checks, controlling data transmission, monitoring for unusual activity and unapproved software and performing regular security audits. Remove access and sensitive data when devices are no longer needed. These steps create repeatable processes to significantly reduce risk.
Leverage Policy Momentum
Leverage the growing global focus on IoT security. The UK’s Product Security and Telecommunications Infrastructure (PSTI) Act has banned universal default passwords and requires clear vulnerability reporting and update timelines for consumer devices.
The EU's Cyber Resilience Act sets cybersecurity rules for digital products, with specific standards being developed for compliance. This is a golden opportunity to strengthen your contracts. Ask vendors how they're complying and insist on verifiable proof.
Verify Before After Deployment
To address third-party IoT risks, implement robust vendor due diligence by seeking independent penetration test and security audit reports. Verify secure boot and tamper protections, looking for hardware root of trust and encrypted storage.
Post deployment, ensure secure over-the-air updates with cryptographic signing and verification, and utilize logging for incident response and rollback protection to prevent firmware downgrades. Automate decommissioning through integration with asset management or device management platforms to remotely wipe and disable devices, mitigating shadow IT and unpatched attack vectors.
Healthcare Has Higher Stakes
In healthcare, compromised IoT devices pose immense risks, from exposing patient data to crippling operations. Hospitals must demand rigorous proof from vendors, ensuring adherence to FDA guidelines on secure design, comprehensive SBOMs, guaranteed updateability, thorough logging and detailed documentation.
Leveraging 405(d) resources helps translate complex security controls into clear, patient-safety language, empowering leadership to make informed decisions. Signed evidence is vital for verification, auditing, and maintaining trust, particularly in patient well-being, as highlighted by the US Food and Drug Administration.
Show Success at Your Next Audit
Conquering the growing risks of third-party IoT devices isn't just good practice; it's essential before your next audit. Imagine a future where uncertified devices are automatically blocked and contracts demand secure updates, clear support lifespans and rigorous verification.
Your networks will intelligently segment these devices, with monitoring systems flagging any suspicious activity. This comprehensive strategy eliminates botnet risk and legal exposure without hindering critical services.
The IoT risk isn't a mystery, it's a purchasing decision. Just demanding auditable updates, transparent support and signed attestations help transform third-party IoT devices from liabilities into powerful assets.