A variant of the Mirai DDoS botnet that arrived in late 2016 and has remained active (because its creators released the malware for anyone to use) is using unpatched (and, in this case, unpatchable) AVTECH closed-circuit television cameras as part of its botnet to attack targets of opportunity, such as an early target of the French hosting firm OVHcloud, security researcher Brian Krebs, or targets within the financial sector.

The recently discovered vulnerability appears to have been in the devices since 2019. What complicates matters is that these devices are past their end-of-support lifespan, meaning there are no available patches to remediate this issue.

When it comes to desktop management and security, security leaders recognize that the devices and the OS have a definitive lifespan. The manufacturer will stop supporting the hardware, and the OS maker will stop supporting the OS, like Microsoft will stop supporting Windows 10 in October 2025 and Apple stopped supporting macOS 11 Big Sur in September 2023. Because of this lifecycle on desktops and mobile devices, IT operations teams have developed replacement strategies, often between two to five years depending on the industry, where devices are replaced because of aging hardware and OSes are replaced based on their obsolescence. But what about your IoT devices? For your anywhere-work users, what about the IoT devices within their home? Does your business have a lifecycle and replacement strategy for these devices?

IoT devices have long lifespans. They’re purpose-built devices that perform certain tasks, but tend not to have the high-low resource cycles, continual off/on application cycles, and repeated user interactions experienced by PCs and servers. Industrial devices like MRI machines or intelligent forklifts, which are both classified as IoT devices, don’t have the same usage patterns as a desktop or server computer, and businesses tend to believe these devices will live much longer than a five-year cycle. Most home users don’t expect to replace their Nest thermostat in five years or even 10. But those devices, because they’re a computer with just a simple task structure, do have a lifespan, and their software/firmware needs to be maintained. And when the device reaches end of life, it becomes a security hazard for your organization — whether it’s within your business network or at home for an employee.

Initiatives like IoT Security Trust Mark are trying to drive device manufacturers to adhere to standards of security, including code development lifecycles, and to label their devices appropriately, but this does nothing for the millions, if not billions, of IoT devices that are already deployed, have passed their end-of-life date, and are now vulnerable to attack. Our report, The Top Trends In IoT Security In 2024, discussed what’s good and bad in IoT security, but security leaders need to take the initiative and start protecting their IoT devices before they’re used for nefarious purposes.