When we buy IoT devices, we most often think about how convenient it is. Well, turn on a…

When we buy IoT devices, we most often think about how convenient it is. Well, turn on a smart light bulb through Alice or something like that. But it's certainly not about how it gets hacked. But in vain. Because attackers think about this with enviable regularity 👏

The most popular IoT hacking methods in 2025? Come on, let's go 🥂

1️⃣ The first hole is weak and default passwords. The story is as old as time. Devices still live with the login admin and password 1234. This is exactly how it was born Mirai botnet : scanned the network, found cameras and DVRs with default credentials and connected them to the army for DDoS. A classic of the genre, and still works ( and, most likely, will work for a very long time )

2️⃣ The second problem is firmware and updates. Many devices either are not updated at all, or are updated “over the air” without encryption or signature verification. This means that the firmware can be changed

3️⃣ The third story is web interfaces. Many IoT have some kind of GUI for management, but they are often made “on the knee”. They found XSS, SQL injections, and RCE. Let's remember Ring camera scandals when attackers guessed passwords and connected to home cameras, scaring children with voice messages

4️⃣ The fourth direction is attacks on protocols. A lot of personal devices transmit data via Bluetooth Low Energy ( aka our beloved BLE ). But not everyone implements authentication and encryption. Here you can remember Tesla hack and other manufacturers through BLE vulnerabilities. It is enough to intercept or fake a signal - and the door is open. With Wi-Fi everything is the same: weak WPA2, open points, sometimes without a password at all

5️⃣ Fifth - supply chain attacks ( in Russian, attacks on supply chains ). The device may arrive with a backdoor from the factory. Or there will be a vulnerable library in the firmware ( or API ), which no one updated and, accordingly, the vulnerability was not eliminated. This means that sometimes you don’t even need to hack anything, but just use the hole that the manufacturer left

6️⃣ And finally - physical access. IoT devices are often in plain sight. UART interfaces, flash chips, JTAG - all this can be reached and the firmware can be pulled out directly. Those who like to play with a soldering iron will find freedom here ( Someday I’ll tell you how to get the firmware out and what nuances there are )

What do all these attacks have in common? What they don't require some particularly professional skills. Many toolkits have been packaged for a long time and are available in the public domain. Therefore, IoT is broken not only by hackers, but also by those who simply know how to read the manual for ready-made exploits 🤔

At the beginning of the post, I mentioned that these are the most popular attacks in 2025. And I didn’t lie, but the point is that these attacks were popular in 2024, and in 2023, and in 2022, and in ... well, you get the idea. Years go by, but little changes in this direction. There will be no conclusion because he is sad 🤬 😱

#information_security
#internet_things