52 Hours Under Attack: The Reality of IoT Security in Mid-2025

As we enter the second half of 2025, the connected-device ecosystem has hit unprecedented scale. Worldwide, nearly 19 billion IoT devices — everything from factory sensors to wearables — are now in operation, up from about 16 billion just two years ago. Spending on IoT is forecast to surge from $280 billion in 2024 to over $721 billion by 2030, reflecting how essential these devices have become to modern enterprises.

However, this massive growth brings risk. IoT devices, often built with minimal security hardening, now account for a sharply rising share of cyberattacks. In early 2024 alone, attacks on IoT endpoints jumped 107% year-over-year, with average attacks lasting more than 52 hours per week. In many cases, attackers use these endpoints as an easy foothold to move deeper into the corporate network, exploiting them as launchpads for ransomware, data theft or even operational sabotage.

The consequences can be staggering: breaches involving IoT systems are far more likely to cost between $5–10 million per incident compared to traditional IT incidents, and industrial IoT compromises can even lead to physical safety hazards or environmental damage. According to recent research, one in three global data breaches now involves an IoT device.

For technology leaders, the key message is clear: connected devices are not fringe IT anymore — they are business-critical systems that demand robust, modern security. Here’s what the latest research shows about top threats, emerging attack patterns and lessons learned from real-world breaches.

Top IoT Security Threats Shaping 2025

1. IoT Botnets & Distributed Attacks (DDoS)IoT botnets remain a dominant threat, where millions of poorly secured devices — including cameras, routers and sensors — are infected with malware to form massive attack networks. The infamous Mirai botnet showed how quickly this can escalate, and new variants like the 2024 “Matrix” campaign continue to weaponize default or hardcoded credentials. About 35% of global DDoS attacks today originate from IoT botnets, capable of taking down corporate websites, partner systems, or even public infrastructure with terabit-scale floods of malicious traffic.
2. Weak Authentication & Device HijackingDefault passwords and weak credentials are still far too common. Shockingly, one in five IoT devices continues to ship with factory-default login settings. This makes them trivially easy to hijack for spying, data theft or even direct sabotage. For example, researchers found thousands of exposed IP cameras still using default passwords, enabling attackers to view live video or listen to audio feeds. Once hijacked, devices can serve as entry points for broader attacks against IT and operational technology (OT) networks.
3. Insecure Interfaces & Unencrypted ProtocolsMany IoT platforms expose poorly secured web dashboards, cloud APIs, or use legacy protocols like MQTT, CoAP or Modbus without proper encryption or authentication. Threat actors can exploit these to intercept data, tamper with commands or inject malicious code. A notable case was the Oldsmar water treatment attack in 2021, where insecure remote-access software let an attacker attempt to poison the water supply by altering chemical levels. This highlights the critical need to secure every interface and encrypt all device communications.
4. Unpatched Vulnerabilities & Firmware ExploitsIoT devices are notoriously slow to patch, often because they lack automated update mechanisms or require manual intervention. In 2024, attackers continued to exploit CVE-2023-1389, a known command-injection flaw in TP-Link routers, affecting over 21% of SMBs. Since IoT firmware can linger unpatched for years, adversaries routinely scan for these weaknesses and gain remote code execution, effectively taking over devices for data exfiltration, espionage or sabotage.
5. Ransomware in IoT/OT SystemsThe ransomware threat has evolved beyond traditional endpoints to cripple IoT and OT networks. Ransomware gangs increasingly encrypt connected controllers, building systems and industrial HMIs, sometimes even “bricking” devices or corrupting firmware as part of extortion tactics. Healthcare has been hit especially hard: 75% of connected medical devices run outdated OSes, leading to average breach costs of $10 million and dangerous service outages. Downtime from these incidents averages 6.5 hours, which can be catastrophic in critical industries.
6. Lateral Movement via Compromised IoTIoT devices are often poorly segmented from other enterprise systems. Once compromised, these devices can be used as pivot points to access internal servers, databases or cloud applications. Because many security teams still lack full IoT visibility or adequate endpoint detection, attackers can quietly use an IoT camera or sensor as a springboard for deeper intrusions. Forrester data showed 34% of IoT-involved breaches cost between $5–10 million, a stark reminder of the potential scale of damage.
7. Supply Chain CompromisesAdversaries have increasingly turned to compromising devices before they ever reach the customer. Hardware backdoors, tampered firmware injected during manufacturing or malicious code inserted into open-source components can create persistent, hard-to-detect threats. A prime example is the XZ Backdoor discovered in early 2024, which affected popular Linux-based IoT software and risked enabling remote code execution across thousands of deployments. These supply chain exploits can undermine even the most security-conscious enterprise.
8. Cyber-Physical OT SabotageCyber-physical attacks are no longer theoretical. In industrial and utility environments, state-sponsored or advanced attackers have proven willing to cross the line from cyber disruption to physical harm. For instance, attackers breached an Israeli water treatment plant in 2020 and attempted to alter chemical levels to dangerous amounts. Analysts warn that by 2025, attackers could use IoT-based industrial controls to cause human casualties, not just financial loss.
9. AI-Driven Attacks & Sensor Data DeepfakesIn 2025, adversaries are deploying artificial intelligence to automate vulnerability scanning, adapt malware on the fly and develop deepfake data streams. For example, AI-generated voice commands can trick voice-controlled devices, while “digital twin deepfakes” could produce extremely realistic but false sensor readings to sabotage industrial systems. These attacks are harder to detect because they blend in with normal patterns, fooling both humans and legacy security tools.

Lessons From High-Profile Incidents

Casino Fish-Tank Thermostat Breach (2017)

In a widely publicized case, attackers infiltrated a U.S. casino network through a connected thermostat controlling a decorative fish tank. The device used default credentials and sat on the same network segment as the casino’s high-roller database, allowing adversaries to pivot from the thermostat to exfiltrate over 10GB of sensitive VIP data.

Business consequences:

• Significant reputational damage and negative press coverage
• Regulatory exposure for mishandled customer data
• Unplanned incident response and forensic costs estimated in the hundreds of thousands

Key lessons learned:

• Never trust default passwords — enforce strong, unique credentials for every device
• Segregate IoT devices from sensitive networks
• Maintain a real-time inventory of every connected device

Oldsmar Water Treatment Facility Attack (2021)

In 2021, a Florida water treatment facility’s HMI was remotely compromised by an attacker who attempted to spike sodium hydroxide levels to dangerous concentrations. The attack exploited insecure remote-access software lacking proper multi-factor authentication. A vigilant operator noticed the change and reversed it in time, averting a public safety crisis.

Business consequences:

• Emergency response costs and state-level investigation
• Heightened regulatory scrutiny and mandatory upgrades to remote-access controls
• Loss of community trust in municipal water safety

Key lessons learned:

• Critical systems must enforce MFA for any remote access
• Safety controllers and industrial systems should be physically or logically isolated from general IT traffic
• Real-time monitoring of command changes is critical

Hospital IoT Ransomware Attack (2024)

In mid-2024, a major U.S. healthcare network suffered a ransomware breach originating from a phishing email. The attackers moved laterally into connected medical IoT — including infusion pumps and patient monitors — many of which ran outdated, unpatchable operating systems. The result: encrypted clinical systems, delayed care, and forced manual operations for hours.

Business consequences:

• Disrupted medical services, delaying emergency care and elective procedures
• Over $10 million in recovery costs, including ransomware negotiations, lost revenue, and regulatory fines under HIPAA
• Long-term reputational damage with patients and partners

Key lessons learned:

• Proactively inventory and patch all medical IoT — or segment legacy devices that cannot be updated
• Include IoT/OT devices in the organization’s incident response playbooks
• Use micro-segmentation to wall off critical care devices from standard IT assets

Building a Resilient IoT Security Posture for the Rest of 2025

This is a pivotal time for enterprises to harden IoT security with a defense-in-depth approach grounded in these best practices:

Zero Trust for IoT: Treat every connected device as untrusted until it proves its identity, with short-lived certificates, strong authentication and micro-segmentation to contain breaches.

Secure Provisioning & Updates: Leverage secure boot, hardware roots of trust and certificate-based onboarding to eliminate default credentials, combined with cryptographically signed over-the-air updates to keep devices patched and verifiable.

Encryption & Segmentation: Enforce TLS 1.3 or stronger encryption from device to cloud and segment IoT traffic using VLANs, micro-segmentation or zero-trust gateways to prevent lateral movement.

Intelligent Threat Detection: Use AI/ML-based anomaly detection to learn normal device behaviors and rapidly identify deviations, feeding automated response actions through your SIEM or SOAR platforms.

Preparedness & Supply Chain Controls: Extend incident response playbooks to cover IoT/OT scenarios and rigorously vet your IoT vendors for secure development practices, trusted software bills of materials and signed firmware.

Bringing It All Together

An effective enterprise IoT security program will combine these patterns into a layered defense:

1. Trusted Onboarding using hardware root of trust and certificate-based provisioning.
2. Encryption Everywhere to protect data in flight and at rest.
3. Robust OTA Updates to keep devices patched and resilient.
4. Network Isolation and Zero Trust to limit lateral movement.
5. Intelligent Monitoring powered by AI to detect subtle or novel threats.

Looking Ahead

As IoT adoption grows, the cost of ignoring IoT security grows too. This is no longer a “nice to have” but a core business continuity and safety priority.

Whatever your industry, the call to action is clear:

• Treat IoT as critical infrastructure
• Integrate IoT security into your broader cybersecurity governance
• Modernize your defenses with automation, AI and zero trust

GAP is ready to help you navigate these challenges and build a 2025-ready IoT security strategy. Let’s connect to secure the things that matter most.

Want to go further?

As IoT surpasses 19 billion devices in 2025, traditional security approaches are failing to keep pace — with one in three breaches now involving an IoT endpoint. The recent article “The New Rules of IoT Security: Building Resilience for 2025” unpacks why IoT demands a new playbook, explores sector-specific defenses, and shows how AI and zero trust can build true resilience.

Read the full article to future-proof your IoT security strategy.