How Not to IoT:Lessons in Security Failures
Zoltan "zh4ck" Balazs
DEF CON 33 (backfill) · Day 1 · Main Stage
In "How Not to IoT: Lessons in Security Failures," Zoltan "zh4ck" Balazs dissects a litany of pervasive security vulnerabilities found in common Internet of Things (IoT) devices, from smart doorbells and vacuum cleaners to Android TV boxes and IP cameras. The talk serves as a stark reminder of the abysmal state of security in many commercially available IoT products, highlighting how fundamental security principles are routinely overlooked or deliberately bypassed by manufacturers. Balazs emphasizes the importance of learning from these past mistakes, not only for consumers to make informed purchasing decisions but also for developers to build more secure and resilient devices.
AI review
Competent IoT vulnerability survey from someone who clearly knows the hardware, with a live demo that lands and a few genuinely entertaining anecdotes — the accidental botnet story alone is worth something. But this is a greatest-hits tour of the IoT vulnerability graveyard, not a research contribution: cleartext creds, GoAhead CVEs from 2004, command injection on login pages, UPnP exposure. None of it is new, and the 'here's what secure IoT could look like' finale reads like a conference slide deck for Matter/Thread, which he coincidentally works adjacent to.