Over 20 Billion Devices, Minimal Security
The numbers have crossed a threshold that makes the problem structural, not anecdotal. IoT Analytics’ State of IoT 2025 report, published in October 2025, estimates 21.1 billion connected IoT devices globally in 2025 — a 14% increase from the 18.5 billion counted in 2024. By 2030, the projection reaches 39 billion. These devices — smart cameras, routers, industrial sensors, medical monitors, smart thermostats, connected appliances — share a common vulnerability profile: they ship with default credentials, run outdated firmware that is rarely or never updated, lack encryption for data in transit, and operate on processors too constrained to run conventional security software.
The economics of IoT manufacturing explain the security deficit. A $15 smart camera sold on AliExpress operates on margins measured in cents. Adding a secure boot process, encrypted firmware updates, unique per-device credentials, and ongoing security patch support could add $2-5 to the bill of materials and require sustained engineering investment that the manufacturer’s business model does not support. Shenzhen-based OEMs producing millions of white-label devices for global brands have zero incentive to invest in security features that consumers cannot see and do not demand. The result is a global fleet of devices that are, from a security perspective, permanently vulnerable from the moment they leave the factory.
This is not a theoretical risk. It is an active, industrialized attack surface. Cloudflare’s Q1 2025 DDoS Threat Report documented a staggering 358% year-over-year increase in DDoS attacks, blocking 20.5 million attacks in that quarter alone. The scale of individual attacks has escalated just as dramatically: in October 2024, Cloudflare mitigated a 5.6 Tbps attack launched by a Mirai-variant botnet using roughly 13,000 compromised IoT devices. By the third quarter of 2025, the Aisuru botnet — commanding an estimated 1 to 4 million infected hosts globally — was routinely generating attacks exceeding 1 Tbps, with a peak recorded at 29.7 Tbps. The Q4 2025 report capped the year with a record-setting 31.4 Tbps assault. The average cost of a DDoS attack to the targeted enterprise now runs into the hundreds of thousands of dollars per incident, and the attacks are growing in sophistication, blending volumetric floods with application-layer precision targeting.
The Botnet Economy: From Mirai to Aisuru
The Mirai botnet of 2016 was the watershed. When three college students released malware that scanned the internet for IoT devices running default credentials, compromised them, and organized them into a coordinated DDoS cannon, they demonstrated that millions of insecure devices could be weaponized trivially. The Mirai attack on DNS provider Dyn on October 21, 2016 — which temporarily took down Twitter, Netflix, Reddit, GitHub, and dozens of other major services — used approximately 100,000 compromised devices to generate over 1.1 Tbps of attack traffic.
Mirai’s source code was publicly released, spawning an entire ecosystem of variants. By 2026, security researchers track dozens of active Mirai-derived botnet families, each adding new exploitation capabilities. InfectedSlurs, discovered by Akamai in late October 2023, exploits zero-day vulnerabilities in FXC outlet wall routers and QNAP VioStor NVR devices. Mozi, a peer-to-peer botnet that historically infected over 1.5 million devices — roughly 90% of them in China and India — was neutralized in August 2023 through what researchers at ESET determined was a deliberate kill switch deployment, likely by the original creators or Chinese law enforcement. Newer variants target industrial IoT protocols like Modbus and BACnet, extending the botnet threat into operational technology environments. The most significant development of 2025 was the emergence of the Aisuru botnet, which assembled an army of an estimated 1 to 4 million compromised devices and unleashed hyper-volumetric DDoS attacks that shattered previous records. The common thread across all these variants is that each finds fresh populations of unpatched, default-credential devices to recruit.
The botnet economy has matured into a professional service industry. DDoS-for-hire services — marketed as “stresser” or “booter” services — rent IoT botnet capacity at prices ranging from as little as 10 euros for a basic attack to thousands per month for sustained, high-bandwidth campaigns. Researchers at the University of Cambridge’s Cybercrime Centre, in a study presented at the USENIX Security Symposium in 2025, examined global law enforcement efforts against these platforms, finding that most users are gamers and casual actors rather than sophisticated cybercriminals, with few attempting to hide their identities. International operations like Operation PowerOFF continue to seize booter domains, but new services emerge as fast as old ones are dismantled. For a few hundred dollars, anyone can launch a multi-hundred-gigabit attack sufficient to take a mid-sized company offline for hours.
Advertisement
The Regulatory Response: EU Cyber Resilience Act and Beyond
The market failure in IoT security — where manufacturers externalize security costs to users and the broader internet — has finally triggered regulatory intervention. The EU Cyber Resilience Act (CRA), which entered into force on 10 December 2024, with main obligations applying from 11 December 2027, represents the most significant regulatory response to date. The CRA mandates that all products with digital elements sold in the EU must meet essential cybersecurity requirements throughout their lifecycle, with reporting obligations taking effect even earlier on 11 September 2026.
For IoT manufacturers, the CRA’s requirements are transformative: no default passwords (each device must ship with unique credentials), mandatory security updates for a minimum of five years or the product’s expected lifetime, vulnerability disclosure policies, and conformity assessments for high-risk product categories (routers, smart home gateways, industrial controllers). Non-compliance carries fines of up to 15 million euros or 2.5% of global turnover. The CRA effectively makes the Shenzhen white-label model illegal for the EU market — manufacturers can no longer ship devices without security considerations and walk away.
The United States has taken a softer approach with the U.S. Cyber Trust Mark program, officially launched by the White House on January 7, 2025, which provides a voluntary labeling scheme for IoT devices meeting baseline security criteria. Administered by the FCC, the program allows compliant devices to display a shield-shaped label with a QR code linking to security information, indicating they meet standards for unique passwords, regular software updates, and data protection. While voluntary, major retailers including Amazon and Best Buy have committed to highlighting Cyber Trust Mark products, creating market pressure that may prove more effective than mandates in the U.S. context. The UK’s Product Security and Telecommunications Infrastructure Act (PSTI), effective since 29 April 2024, bans universal default passwords and requires manufacturers to publish vulnerability disclosure policies — a narrower mandate than the CRA but enforceable with fines of up to 10 million pounds or 4% of global turnover, whichever is greater, plus up to 20,000 pounds per day for ongoing violations.
Technical Challenges: Securing 256KB of RAM
Even with regulatory pressure, securing IoT devices faces genuine technical constraints that distinguish the problem from conventional software security. Many IoT devices operate on microcontrollers with 256KB of RAM or less — a Cortex-M0 processor running at 48MHz with 32KB of flash storage cannot run a TLS 1.3 stack, a host-based intrusion detection system, and an OTA update agent simultaneously. Security solutions must be fundamentally different from the endpoint protection paradigms that work on servers and laptops.
The industry response is converging on several approaches. ARM’s Platform Security Architecture (PSA Certified) provides a hardware-rooted security framework for Cortex-M microcontrollers, establishing secure boot, secure storage, and cryptographic service foundations at the silicon level. NIST’s Lightweight Cryptography standardization project selected the Ascon algorithm family in February 2023, and finalized the standard as SP 800-232 in August 2025. Ascon provides authenticated encryption, hashing, and extendable output functions with minimal memory and computational overhead, making strong cryptography feasible on the smallest devices. Microsoft’s Azure Sphere and Google’s OpenThread represent platform-level approaches, embedding security into the development SDK rather than bolting it onto finished products.
Network-level security offers a complementary approach for the billions of devices already deployed with no prospect of firmware updates. Companies like Armis — which raised $200 million in a Series D round in October 2024 at a $4.2 billion valuation, then followed with a $435 million round in November 2025 at a $6.1 billion valuation — and Finite State provide agentless IoT security platforms that monitor device behavior at the network level, detecting anomalous traffic patterns, identifying compromised devices, and segmenting vulnerable devices from critical network assets. For enterprises and service providers managing large IoT fleets, network-based detection may be the only viable security layer for devices whose firmware will never be updated. The fundamental challenge remains: the IoT security problem is one of economic incentives, not technical impossibility, and until the cost of insecurity falls on manufacturers rather than users, the botnet crisis will continue to scale with every device shipped.
Advertisement
🧭 Decision Radar (Algeria Lens)
| Dimension | Assessment |
|---|---|
| Relevance for Algeria | High — Algeria’s IoT deployments in smart cities, energy (Sonatrach SCADA), and telecom are expanding; most imported devices lack security baselines |
| Infrastructure Ready? | No — Algeria has no IoT security certification framework or import security requirements for connected devices |
| Skills Available? | Low — IoT security expertise is concentrated in a handful of university research groups; no commercial IoT security providers operate locally |
| Action Timeline | 12-24 months — the EU CRA will reshape the global IoT supply chain by 2027, indirectly improving devices available in Algeria; proactive import standards could accelerate this |
| Key Stakeholders | ARPT (telecom regulator), ANSI, Customs (import standards), Sonatrach/Sonelgaz (industrial IoT), Ministry of Commerce |
| Decision Type | Strategic — Algeria could adopt CRA-aligned import requirements to leverage EU regulatory momentum without building a domestic certification infrastructure from scratch |
Quick Take: The IoT botnet crisis is a market failure now being corrected by regulation. The EU Cyber Resilience Act will force manufacturers to build security into connected devices by 2027. Algeria can benefit by aligning import standards with the CRA, ensuring that the devices entering its market meet the security baselines that manufacturers will be forced to implement for the European market anyway.
Sources & Further Reading
- IoT Analytics — State of IoT 2025: 21.1 Billion Connected Devices
- Cloudflare — Q4 2024 DDoS Threat Report: Record 5.6 Tbps Attack
- Cloudflare — Q1 2025 DDoS Threat Report: 358% YoY Increase
- Cloudflare — Q3 2025 DDoS Threat Report: Aisuru Botnet
- Cloudflare — Q4 2025 DDoS Threat Report: 31.4 Tbps Record
- Cloudflare — Inside Mirai: A Retrospective Analysis
- EU Cyber Resilience Act — Official Summary
- Akamai — InfectedSlurs Botnet Zero-Day Discovery
- ESET — Who Killed Mozi? Putting the IoT Zombie Botnet in Its Grave
- NIST — Lightweight Cryptography: Ascon Selection (Feb 2023)
- NIST — SP 800-232: Ascon Lightweight Cryptography Standard (Aug 2025)
- U.S. Cyber Trust Mark — White House Launch Announcement
- FCC — U.S. Cyber Trust Mark Program
- UK PSTI Act — Product Security Regime
- Armis — $200M Series D at $4.2B Valuation (Oct 2024)
- Armis — $435M Round at $6.1B Valuation (Nov 2025)
- ARM PSA Certified Security Framework
- Cambridge Cybercrime Centre — DDoS-for-Hire Takedown Study (USENIX 2025)
Advertisement