The Security Debt of Abandoned IoT: Why Your Router is a Botnet Waiting to Happen

TLDR: Abandoned IoT devices, often referred to as "bricked" or end-of-life (EOL) hardware, represent a massive, unpatchable attack surface that threat actors are actively weaponizing. By exploiting OWASP A06:2021-Vulnerable and Outdated Components, attackers turn these devices into residential proxies for botnet traffic. Security professionals must treat EOL hardware as a critical risk factor and push for policy changes that mandate graceful failure or open-source transitions for abandoned firmware.

The industry loves to talk about zero-days and sophisticated nation-state campaigns, but the most persistent threat to your infrastructure is likely sitting in a closet or a basement, gathering dust. We are currently witnessing an epidemic of end-of-life (EOL) IoT devices that are no longer supported by their manufacturers but remain connected to the internet. When a vendor decides a device is no longer profitable to maintain, they don't just stop shipping updates; they often kill the cloud services required for the device to function, effectively turning it into a paperweight.

For a researcher or a pentester, this is not just an environmental disaster. It is a massive, unpatchable attack surface. These devices are often running ancient, vulnerable kernels and hardcoded credentials that will never be fixed. Attackers know this. They are not looking for the latest exploit; they are looking for the path of least resistance.

The Mechanics of Enshittification

The term enshittification, popularized by Cory Doctorow, perfectly describes the lifecycle of these devices. A manufacturer releases a product, gains market share, and then, to maximize margins, degrades the user experience by cutting off support. For the security community, this degradation manifests as a complete lack of security maintenance.

Consider the Spotify Car Thing, a recent example where a functional piece of hardware was rendered useless by a corporate decision. When the manufacturer pulls the plug, the device becomes a "zombie." It remains powered on and connected to the network, but it cannot receive security patches. If a vulnerability is discovered in the underlying firmware, it stays there forever.

Attackers exploit this by using these devices as nodes in a botnet. By compromising a SOHO router or an IoT camera, they gain a foothold inside a trusted network. From there, they can pivot to internal assets, sniff traffic, or use the device as a residential proxy to mask their origin. Because these devices are often behind NAT and lack any form of endpoint detection, they are the perfect "low and slow" infrastructure for malicious activity.

Why Pentesters Should Care

During a red team engagement or a penetration test, you should be looking for these devices as aggressively as you look for unpatched web servers. If you are on a client network, run a scan for common IoT management ports. You will frequently find devices that haven't seen a firmware update in years.

The risk here is not just the device itself. It is the trust relationship. A smart home appliance or a legacy router is often granted more access than it needs. If you can compromise a device that the user assumes is "safe," you have effectively bypassed the perimeter.

If you are performing a vulnerability assessment, check the NVD database for the device's model number. You will almost certainly find a list of unpatched vulnerabilities. The challenge is that there is no "fix." You cannot patch a device that the vendor has abandoned. The only remediation is to isolate the device or, preferably, remove it from the network entirely.

The Path to Better Security

We need to stop accepting the status quo where manufacturers can abandon hardware without consequence. The current model of "sell and forget" is fundamentally incompatible with a secure ecosystem.

Policy reform is the only way to force a change in behavior. We need to advocate for legislation that requires manufacturers to disclose the end-of-support date at the point of sale. More importantly, we need to push for a "graceful failure" model. If a company goes out of business or decides to stop supporting a product, they should be legally required to release the firmware as open source. This allows the community to maintain the device, patch vulnerabilities, and keep it from becoming a permanent security liability.

The Secure Resilient Future Foundation is one of the few groups actively working to organize the security community around these issues. They are pushing for transparency and accountability, which is exactly what we need.

As security professionals, we have a responsibility to be the voice of reason at the policy table. We understand the technical reality of these devices better than any legislator. When you see a device that is insecure by design, don't just report it and move on. Document the risk, communicate it to the stakeholders, and push for a lifecycle management strategy that accounts for the reality of the internet of things. If we don't, we are just waiting for the next massive botnet to be built on the back of our own abandoned hardware.