IoT Security Failures Keep Compounding With No Real Accountability
TP-Link Kasa cameras were leaking home GPS coordinates via an unauthenticated UDP port for six years. The researcher who found it went through six months of coordinated disclosure, got two CVEs, watched the vendor mischaracterize the vulnerability, and ended up with a beta firmware patch as the resolution. The thread on HN is weary rather than outraged, because this pattern is familiar.
The through-line connecting this to other discussions today, including the supply chain security thread on in-toto, is that cheap connected hardware has essentially no accountability loop. Vendors ship, collect revenue, and have weak incentives to maintain security posture. Commenters noted that the correct architectural response is to never let IoT devices communicate directly over the public internet, which is practical advice but requires network discipline most consumers do not have.
The AI-generated disclosure report comment is worth flagging: a security researcher doing six months of real work wrote up findings that read as AI-generated to at least one commenter. That perception problem is now real and it undercuts credibility in a field where credibility is everything.
So what?
If you are building anything that connects to consumer hardware or depends on third-party IoT devices in a product stack, assume the security posture of that hardware is close to zero. Network-level isolation is your responsibility, not the vendor's. And if you are in security research, the bar for writing quality just went up because AI-generated prose is now a credibility signal.