The 7 Worst Examples of IoT Hacking and Vulnerabilities in Recorded History

Today, we can connect nearly everything we use to the internet. As we continue to rely on these devices, it's no surprise that the security of these devices is a major concern. We've all heard of cybersecurity concerns when it comes to IoT devices and there's an inherent risk that comes with connecting more and more devices to the internet and to each other. Malicious hackers can launch attacks and infiltrate thousands or millions of unsecured devices, crippling infrastructure, downing networks, or gaining access to private information. In this article, we'll focus on some of the biggest IoT hacks and vulnerabilities we've seen before and the effects they had.

1. The Mirai Botnet (aka Dyn Attack)

Back in October of 2016, the largest DDoS attack ever was launched on service provider Dyn using an IoT botnet. This lead to huge portions of the internet going down, including Twitter, the Guardian, Netflix, Reddit, and CNN.

This IoT botnet was made possible by malware called Mirai. Once infected with Mirai, computers continually search the internet for vulnerable IoT devices and then use known default usernames and passwords to log in, infecting them with malware. These devices were things like digital cameras and DVR players.

Since then, the legacy of the Mirai botnet has continued to influence the IoT security landscape. In recent years, variants of the Mirai malware have emerged, showing that the threat from such botnets is far from over. These new variants have targeted a broader range of IoT devices, from routers to connected cameras, expanding the potential for large-scale DDoS attacks.

The resilience and evolution of Mirai-like malware underscore the critical need for stronger security measures in IoT devices. Manufacturers and users must be vigilant in updating device firmware and changing default credentials, a lesson that has only grown in importance since the Mirai incident.

According to PC Magazine, here are four straightforward loT security lessons that businesses can take from the incident:

• “Devices that cannot have their software, passwords, or firmware updated should never be implemented.
• Changing the default username and password should be mandatory for the installation of any device on the Internet.
• Passwords for IoT devices should be unique per device, especially when they are connected to the Internet.
• Always patch IoT devices with the latest software and firmware updates to mitigate vulnerabilities.”

Reflecting on these lessons in the context of the evolving threats, it's clear that the IoT landscape demands continuous vigilance and adaptive security strategies. The IoT ecosystem is now more complex, and the stakes are higher, making the implementation of robust security protocols more critical than ever.

2. The Hackable Cardiac Devices from St. Jude

In 2017, there was a big worry about some heart-related devices made by St. Jude Medical. Turns out, these gadgets, such as pacemakers and defibrillators, which are super important for people with heart issues, had some serious security holes. The FDA (Food and Drug Administration) confirmed this, and it was kind of a big deal.

These vulnerabilities meant that a hacker could potentially get into these devices. Imagine someone messing with a device that's supposed to keep your heart beating right. They could drain the battery or even worse, make it do the wrong thing, like give the wrong kind of shock. This was scary stuff for anyone relying on these devices to stay healthy.

The whole problem was linked to the part of these devices that talks to doctors remotely – the transmitters. Hackers could break into these transmitters and take control. This wasn’t just about keeping personal health info safe; it was about keeping people alive and well.

It kicked off a lot of talk about making sure these kinds of medical gadgets are safe from hackers. St. Jude's situation was a wake-up call, showing everyone that as more medical stuff gets hooked up to the internet, the more we’ve got to be super careful about security. It was a real-life example of why it's so important to build these devices tough enough to keep out hackers, right from the start.

3. The Owlet WiFi Baby Heart Monitor Vulnerabilities

In 2016, the Owlet WiFi Baby Heart Monitor, a device many parents use to keep an eye on their baby's health, ran into some serious safety concerns. A security expert, Jonathan Zdziarski, looked into how the monitor worked and found some worrying issues. He discovered that the way the monitor talks to its base station over WiFi wasn't secure at all. This means that someone nearby could potentially peek into the data being sent, or even mess with the monitor's functions.

What's more, Zdziarski found that if the little sock with the sensor, which the baby wears, came off and was put back on, the monitor wouldn’t start working again on its own. Parents would have to manually turn it back on. He also pointed out that the system didn't seem to have a way to update itself to fix these problems, which is pretty important for security. The company behind Owlet did later say that they had a way to update the monitor, but these findings still raised big red flags about how safe and private these kinds of smart baby monitors are.

4. The TRENDnet Webcam Hack

In 2012, TRENDnet's security cameras, which many people use in their homes for things like baby monitoring, had a big security problem. Due to a mistake in their coding, hackers could easily get past the password and watch the video from these cameras. This meant that private videos from homes were ending up on the internet for anyone to see.

In response, TRENDnet worked fast to fix this. They updated the software in their cameras to close this security hole. They also had to make a deal with the U.S. Federal Trade Commission, promising to improve their security overall and be more honest about how safe their cameras are. They also agreed to keep their users in the loop about any security updates and provide help for two years.

This hack showed how important it is for companies to take the security and privacy of their internet-connected devices seriously.

5. The Jeep Hack

In 2015, a significant hacking incident involving Jeep Cherokees made headlines and underscored the importance of cybersecurity in vehicles. Two security researchers, Charlie Miller and Chris Valasek, demonstrated a remote hack on a Jeep Cherokee. They could manipulate the car's features like wipers and radio, and eventually stop the engine while it was on a highway.

This was possible due to a vulnerability in the car's infotainment system, manufactured by Harman International. The hack impacted 1.4 million vehicles and required a physical product recall, marking a watershed moment in the awareness of cybersecurity vulnerabilities in automobiles​​.

The aftermath of this incident led to significant changes in the automotive cybersecurity landscape. Harman International, recognizing the gravity of the situation, developed a cybersecurity product and acquired TowerSec, a cybersecurity company, to enhance its manufacturing processes and software security.

This move was part of a broader industry trend, with automotive cybersecurity becoming a rapidly growing market. The complexity of modern vehicles, which can contain up to 150 electronic control units running various operating systems, makes securing them a challenging task.

Post-hack, automotive companies started to focus more on cybersecurity, with requirements for it expanding significantly. They also began shifting the responsibility for security testing and implementation to their suppliers, like Harman, who are now expected to take a more proactive role in ensuring the cybersecurity of components they produce for vehicles​

6. The Casino Fish Tank Thermometer Hack

Sometimes the weakest link in a company’s defenses isn’t a server or an employee’s inbox—it’s an aquarium. At the WSJ CEO Council Conference in London, Darktrace CEO Nicole Eagan shared a striking example of how hackers are using internet-connected devices as unexpected entry points into corporate networks. In this case, attackers infiltrated a casino by exploiting a vulnerability in the smart thermometer inside the lobby’s fish tank.

Once inside, they pivoted through the network until they discovered the high-roller database, ultimately extracting it through the very same thermometer connection. The incident illustrates just how wide the attack surface has become as everyday devices—from thermostats and refrigerators to HVAC systems and personal voice assistants—are connected to the internet without robust protections.

Robert Hannigan, former head of the UK’s Government Communications Headquarters (GCHQ) who was also attending the conference, emphasized that this type of vulnerability isn’t going away. He noted that companies have already been compromised through inexpensive, poorly secured IoT devices like CCTV cameras, and warned that with thousands more devices being added to corporate environments each year, the risks will only grow. Both experts agreed that minimum security standards may need to be mandated by regulation, since market forces alone aren’t enough to drive manufacturers to prioritize cybersecurity in low-cost connected devices.

7. BrickerBot and the Rise of Permanent Denial-of-Service Attacks

If the Mirai botnet showed the world how vulnerable IoT devices are to being hijacked for massive DDoS attacks, BrickerBot revealed something even more chilling: that attackers could take insecure devices offline forever. First spotted in 2017, BrickerBot introduced the concept of a Permanent Denial-of-Service (PDoS) attack—malware designed not just to disrupt services temporarily, but to permanently “brick” devices, rendering them useless.

BrickerBot spread by brute-forcing Telnet credentials on Linux/BusyBox-based devices, often using default logins like “root/vizxv.” Once inside, it issued destructive commands that corrupted storage, wiped files, and even altered kernel parameters so the hardware couldn’t function again. Victims included routers, cameras, and other internet-exposed IoT gear. In its earliest waves, security firm Radware recorded thousands of attack attempts across just a few days, and the malware’s creator—known only as “Janit0r” or “The Doctor”—claimed responsibility for bricking more than 2 million insecure devices.

Unlike Mirai, BrickerBot didn’t monetize access to compromised machines. Its author called the campaign “Internet chemotherapy,” arguing that destroying poorly secured devices was a way to force manufacturers and users to take security seriously. But the collateral damage was significant: businesses that relied on affected devices were left with permanent downtime, costly replacements, and no easy path to recovery. The attacks underscored how fragile the IoT ecosystem can be when devices ship with outdated software, default credentials, and no clear way to patch vulnerabilities.

This article was originally published on May 17, 2017. Updated October 3, 2025.