In 2017, hackers breached a North American casino through a networked thermometer in the lobby fish tank. Intended to regulate water temperature, the smart sensor became a gateway into the casino’s internal systems.¹

Right now, your baby monitor may still use the default password, the same as an estimated 2.3 million other devices worldwide. Strangers could be watching your child sleep.

In Cyberwar, Constanze Kurz and Frank Rieger describe a fictional scenario where smart TVs, thermostats, and industrial machines around the world begin transmitting data to unknown servers at 5:45 a.m. Within hours, hospitals fail, traffic halts, and economies freeze.

While fictional, this scenario illustrates IoT security risks and what could happen if we fail to take cybersecurity seriously.² In 2007, Estonia faced a barrage of distributed denial of service (DDoS) attacks that crippled government systems, banks, and media. More recently, in 2024, a faulty software update from cybersecurity firm CrowdStrike caused worldwide disruptions across hospitals, airports, and public infrastructure, all because critical systems ran on vulnerable, interconnected platforms. While not a cyberattack but rather an IT failure, it does illustrate the risks of interconnected, critical systems running on vulnerable platforms and the cascading effects of technical failures.

Today, with billions of Internet of Things (IoT) devices deployed globally, the stakes are exponentially higher. From smart cities to connected healthcare, IoT promises tremendous benefits but introduces unprecedented security challenges.

This analysis explores two fundamental concerns. First, how seemingly minor vulnerabilities in individual devices can cascade into systemic risks, threatening national security, digital rights, and democratic sovereignty. Second, how the deep integration of IoT into essential services has begun to eliminate meaningful user choice. When smart meters are mandatory and medical devices rely on constant connectivity, opting out of insecure systems becomes equivalent to opting out of modern life. This raises a critical question: What does digital peace mean in a world shaped by escalating IoT security risks, where everything is connected but not secured.

The implications extend far beyond technical vulnerabilities to fundamental questions about security, privacy, and democratic sovereignty in an interconnected age, questions that demand urgent answers before the real 5:45 a.m. arrives.

Connected but Insecure: The Rise of IoT Security Risks

The Internet of Things encompasses a vast ecosystem of connected devices: from consumer products like smart speakers and wearables to industrial sensors, medical equipment, and critical infrastructure components. By 2025, estimates suggest over 75 billion IoT devices will be operational worldwide, transforming how we live, work, and govern. ³

This explosive growth is driven by compelling benefits: efficiency gains, improved decision-making through data analytics, enhanced quality of life, and new economic opportunities. However, the rush to market has prioritised functionality and cost-effectiveness over security and privacy.

The development cycle for IoT devices typically emphasises speed and features rather than robust security measures. Many manufacturers operate on razor-thin margins, viewing comprehensive security testing as an expensive luxury rather than a necessity. As CybelAngel (2025) notes, “The economics of IoT manufacturing often incentivize getting products to market quickly rather than securely”. ⁴

This creates a fundamental tension between innovation and safety. While rapid deployment accelerates benefits, it also distributes vulnerabilities at an unprecedented scale. The result is a digital ecosystem defined by widespread IoT security risks, where insecurity is not an exception but the norm, a foundation upon which we are building increasingly critical systems.

Realizing IoT’s Potential in Urban Environments

Despite these security concerns, the potential benefits of IoT deployment remain compelling, particularly in urban environments. IoT and other information and communication technologies (ICT) offer powerful tools for addressing complex sustainability and resilience challenges in rapidly urbanising environments. Smart city applications typically operate across five core domains: data analytics, IoT infrastructure, urban mobility, energy management, and citizen engagement.⁵

When deployed responsibly, IoT-enabled platforms can help cities manage traffic congestion, respond to disasters, reduce environmental degradation, and strengthen civic participation. By enabling more efficient use of resources, lowering emissions, and enhancing the responsiveness of public services, IoT technologies contribute to both environmental and social sustainability, provided that inclusion, equity, and data rights are not overlooked in the process. ⁶ However, realizing these transformative smart city benefits is impossible without first addressing the fundamental security challenges that plague IoT development; challenges that run deeper than many realize.

Built to Be Broken: Insecurity by Design

The IoT security risks in IoT ecosystems stem from fundamental design and economic choices rather than mere oversight. Three critical problems stand out:

First, many devices ship with outdated software and default credentials. A 2025 analysis found that 67% of consumer IoT devices use default or easily guessable passwords, with 41% unable to receive security updates. ⁷ These devices become permanent liabilities in our networks, ticking time bombs of vulnerability that cannot be remediated even after flaws are discovered. As SentinelOne (2025) reports, “A lot of manufacturers ship with the same default password, “admin” or even “12345”. Those default credentials are often found in device manuals that are publicly available online, making them easy for attackers to exploit.”

Second, many IoT devices have limited capacity for users to update or patch vulnerabilities. Unlike computers or smartphones, which regularly receive security updates, IoT devices often lack update mechanisms entirely or make the process prohibitively complex for average users. A study by the European Union Agency for Cybersecurity (ENISA) found that 48% of IoT devices cannot be updated securely, if at all. ⁸

Third, IoT devices routinely share massive amounts of data with third-party providers, often without meaningful consent from users. This data collection extends far beyond what’s necessary for device functionality, creating privacy risks and expanding attack surfaces. The data often travels unencrypted across networks and is stored with minimal protection, creating multiple points of vulnerability. Emerging quantum technology could soon render today’s encryption obsolete, further escalating the urgency of secure-by-design IoT architectures.

These problems aren’t accidental, they’re embedded in the economic and regulatory design of the IoT ecosystem. Manufacturers face few consequences for security failures while bearing significant costs for implementing proper security measures. The result is a market flooded with fundamentally insecure devices that connect to our most sensitive systems. While the costs of security-by-design might be essentially higher, the costs of failing to do so are catastrophically high.

When Cyberwar Comes Home

The security implications of vulnerable IoT extend far beyond individual privacy concerns to matters of national security and democratic sovereignty. Insecure devices can become powerful tools for cyberwarfare and hybrid threats. Distributed Denial of Service (DDoS) attacks represent one of the most common weaponisations of IoT. By compromising thousands or millions of devices, attackers create massive botnets capable of overwhelming critical digital infrastructure. In early 2025, researchers identified an IoT botnet that had compromised over 86,000 devices and was being used for large-scale DDoS attacks against telecommunications providers and financial institutions. ⁹

These attacks have evolved beyond mere disruption to become sophisticated instruments of geopolitical pressure. As Herzog (2011) observed in his analysis of the Estonian cyber attacks, “What initially appeared as cyber vandalism was actually a coordinated campaign designed to undermine public confidence in the state’s ability to provide essential services”. ¹⁰

More concerning still is the exploitation of connected infrastructure in geopolitically motivated operations. Industrial control systems, smart city components, and critical infrastructure increasingly rely on IoT technology, creating new vectors for attacks with physical consequences. NETSCOUT (2025) warns that AI-driven DDoS attacks are increasingly targeting critical infrastructure, with potential to cause cascading failures across interdependent systems. ¹¹

The implications are profound: digital vulnerability is not merely a personal or corporate issue, it’s a threat to public stability and democratic sovereignty. When essential services can be disrupted remotely and at scale, the very foundations of social order become precarious due to growing IoT security risks.

The Illusion of Choice

Perhaps most troubling is the erosion of meaningful choice in our relationship with connected technology. As IoT becomes embedded in essential services and infrastructure, opting out becomes increasingly difficult or impossible.

People can no longer realistically opt out of using connected devices in areas like heating, healthcare, or mobility. Smart meters are mandated in many regions. Medical devices increasingly require connectivity for proper functioning. Public transportation, traffic management, and even access to buildings now depend on IoT systems.

Without real alternatives or opt-out rights, participation in data extraction becomes compulsory, undermining digital rights and self-determination. As our physical and digital worlds merge, the absence of security-by-design in IoT creates not just technical vulnerabilities but democratic ones as well.

This compulsory participation in insecure systems represents a fundamental challenge to digital peace, the ability of individuals and societies to maintain autonomy, privacy, and security in digital spaces.

Policy Recommendations

Addressing the systemic IoT security risks of IoT requires coordinated action across multiple domains. The following recommendations offer a pathway toward a more secure and equitable IoT ecosystem:

First, governments must enforce security-by-design regulations for all connected devices. The European Union’s Cyber Resilience Act and the UK’s Product Security and Telecommunications Infrastructure Act provide useful models, requiring manufacturers to implement basic security measures before bringing products to market. As ENISA (2020) recommends, these should include secure boot mechanisms, automatic updates, and the elimination of default credentials.

Second, public investment in open-source digital infrastructure is essential. By developing and maintaining secure, transparent alternatives to proprietary IoT systems, governments can establish higher security baselines and ensure that critical functions aren’t wholly dependent on commercial interests. This approach has proven successful in Estonia’s X-Road system, which provides a secure data exchange layer for public services.

Third, regulatory frameworks must require transparent opt-in/opt-out mechanisms for data sharing. Users should have clear information about what data is collected, how it’s used, and meaningful options to limit collection without losing essential functionality. The principle of data minimisation, collecting only what’s necessary for a specific purpose, should be legally mandated for IoT systems.

Finally, international norms and agreements to prevent IoT misuse in cyber conflicts are urgently needed. Building on frameworks like the Paris Call for Trust and Security in Cyberspace, nations should establish clear red lines regarding attacks on civilian IoT infrastructure and cooperate on attribution and response to violations. These actions aim to protect both personal autonomy and global digital peace by ensuring that the benefits of IoT can be realised without compromising fundamental security and rights.

The Choice We Can’t Avoid

The Internet of Things is becoming the invisible infrastructure of our societies, but we are wiring vulnerability into the foundations of modern life. From energy grids to hospital systems, we are embedding connectivity into the foundations of critical systems. As we’ve seen throughout this article, this development holds tremendous potential. But we’re building it on architectures that are fundamentally insecure, opaque, and increasingly unavoidable.

So, what would a Digital Peace approach to IoT security risks truly mean?

It means imagining a world where checking your baby monitor doesn’t come with the fear of being watched. Where smart city traffic systems respond to emergencies without opening new doors for hostile actors. Where medical devices enhance your health, without transmitting your most intimate data to unknown servers.

Digital Peace means the technology that surrounds us works for us, not against us.
It means the smart meter tracking your energy use can’t be weaponised to map your daily routines.
It means the sensors regulating your city’s water supply aren’t also digital backdoors.
It means your data is protected, not just from malicious actors, but also from unchecked commercial exploitation.
And it means opting out remains a real choice, for those who feel overwhelmed, who can’t afford “smart”, or who simply choose a different path.

But right now, we are building the opposite.

This isn’t accidental. This is yet another case where the logic of the market reaches its limits. Security, privacy, and human dignity are not profitable by default, they don’t scale, they don’t generate returns, and they don’t drive quarterly growth. Yet, they are inherently worth protecting.

Every day, we install more devices that force us to choose between functionality and security, between participation in modern life and the protection of our privacy. We’re creating a world where the very technologies designed to improve our lives become tools of surveillance, exploitation, and systemic risk.

Do we accept a future where digital vulnerability is the price of connection? Or will we demand something better?

The technologies exist. The frameworks are possible. What’s missing is the will to prioritise resilience over rollout, rights over convenience, digital peace over digital profit.

That baby monitor is still transmitting with its default password. How much longer will we let it?

References

1. Mathews, L. (2017, July 27). Criminals Hacked A Fish Tank To Steal Data From A Casino. Forbes. https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/
2. Kurz, C., & Rieger, F. (2018). Cyberwar – Die Gefahr aus dem Netz. C. Bertelsmann Verlag.
3. SentinelOne. (2024, November 6). Top 10 IoT Security Risks and How to Mitigate Them. SentinelOne. https://www.sentinelone.com/cybersecurity-101/data-and-ai/iot-security-risks/
4. Traynor, O. (2025, April 8). IoT Cybersecurity: Connecting the Dots. CybelAngel. https://cybelangel.com/iot_cybersecurity/
5. Okonta, D. E., & Vukovic, V. (2024). Smart cities software applications for sustainability and resilience. Heliyon, 10(12), e32654. https://doi.org/10.1016/j.heliyon.2024.e32654
6. Zeng, F., Pang, C., & Tang, H. (2024). Sensors on Internet of Things Systems for the Sustainable Development of Smart Cities: A Systematic Literature Review. Sensors, 24(7), 2074. https://doi.org/10.3390/s24072074
7. Fortinet. (2023). Top IoT Device Vulnerabilities: How To Secure IoT Devices. Fortinet. https://www.fortinet.com/resources/cyberglossary/iot-device-vulnerabilities
8. Skouloudi, C., Malatras, A., Naydenov, R., & Dede, G. (2020, November 9). Guidelines for Securing the Internet of Things. Www.enisa.europa.eu. https://www.enisa.europa.eu/publications/guidelines-for-securing-the-internet-of-things
9. Jones, D. (2025, March 4). More than 86K IoT devices compromised by fast-growing Eleven11 botnet. Cybersecurity Dive. https://www.cybersecuritydive.com/news/86000-iot-compromised-eleven11-botnet/741507/
10. Herzog, S. (2011). Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses. Journal of Strategic Security, 4(2), 49–60. https://doi.org/10.5038/1944-0472.4.2.3
11. Ribeiro, A., & Ribeiro, A. (2025, May 7). NETSCOUT warns of AI-driven DDoS attacks, threatening critical infrastructure and amplifying cybersecurity risks – Industrial Cyber. Industrial Cyber. https://industrialcyber.co/critical-infrastructure/netscout-warns-of-ai-driven-ddos-attacks-threatening-critical-infrastructure-and-amplifying-cybersecurity-risks/