But, like death and taxes, we’re certain many more devices will be infected. Given the historical behavior of manufacturers not addressing vulnerabilities, it’s unlikely they will change anytime soon. There’s nothing forcing them to do so, and they’ve already shown they aren’t willing to do so merely because it’s the right thing to do.

Faced with manufacturers who don’t seem to care any more than the organizations that deploy these devices, it’s not hard to empathize with the vigilantes employing thingbots to nip at the heels of the real enemy.

And they are only nipping at the heels of a much larger problem. There are millions of devices already infected. Based on our latest research, their efforts are not going to slow down the growth of thingbots. It’s debatable whether the black hats even notice that the devices taken out by the vigilantes are missing.

With billions of devices vulnerable and more on the way, the efforts of gray hats are not only illegal but likely ineffective—a drop in the bucket that fails to move the needle in an appreciable direction.

I can’t say it often enough that organizations need to be responsible for the things they attach to their networks, and manufacturers need to be held accountable for blatantly ignoring the need to patch vulnerabilities in their devices.

As always, if you’re attaching a thing to your network (whether at home or in the office) you absolutely need to:

1. Change default passwords (prevention)
2. Lock down Telnet and SSH access (prevention)
3. Secure web interfaces by using a web application firewall (prevention)

Additionally, you may want to:

1. Invest in an IoT gateway (prevention)
2. Monitor for unusual intra-network traffic (detection)
3. Watch for new initiators of outbound traffic (detection)