It has been an eventful first half of 2026 for anyone who pays attention to the security of connected devices, which is to say, anyone who has a router, a smart TV, a camera, or a voice assistant in their home — even if they have never thought of themselves as the kind of person who pays attention to such things. The pace of significant events has been relentless, and the individual stories, taken together, sketch a clear picture of where things stand at the year’s midpoint.

This is a situational briefing. Rather than dive into any single incident, it steps back to connect the threads: the record-breaking attacks, the malware that refuses to die, the steady drumbeat of device vulnerabilities, and the regulatory shift that is about to reshape the entire market. Each of these deserves — and on this site has received — its own deep treatment. Here, the goal is to help you see how they fit together, because the connections are the part that is easy to miss when each story arrives as an isolated headline.

The Records Keep Falling

The defining statistic of IoT security in 2026 is a number that keeps climbing: the peak volume of distributed denial-of-service attacks. The Aisuru botnet — a TurboMirai-class network built from consumer broadband routers, CCTV cameras, and DVRs — drove an attack that peaked at 29.7 terabits per second, roughly 14.1 billion packets per second, shattering the previous record near 22 Tbps that had stood for only a few months.

What makes this trajectory alarming is not just the raw number but what produces it. These attacks are not generated by powerful, purpose-built infrastructure. They are generated by the aggregated bandwidth of one to four million ordinary consumer devices, conscripted without their owners’ knowledge and rented out by the gigabit as a criminal service. The record rises because the supply of vulnerable devices keeps growing, and because the operators have industrialized the process of recruiting them.

Law enforcement has not been passive. In March 2026, a coordinated operation led by the U.S. Department of Justice, with partners in Canada and Germany, seized infrastructure behind Aisuru and three related botnets — Kimwolf, JackSkid, and Mossad — that had collectively infected more than three million devices. But the hard limit of every such operation is that seizing servers does not clean infected devices. The compromised routers and cameras remain compromised, waiting to be re-recruited. We covered the full story in 29.7 Terabits Per Second: How Aisuru Turned Home Routers and Cameras Into the Largest DDoS Weapon Ever Built.

The Malware That Comes Pre-Installed

If Aisuru represents devices compromised after purchase, BadBox 2.0 represents something arguably more disturbing: devices that arrive compromised. BadBox 2.0 is malware that comes pre-installed on cheap Android-based streaming boxes, smart TVs, projectors, and infotainment systems — built into the supply chain before the product ever reaches a store shelf. At its peak it was described as the largest botnet of infected connected-TV devices ever uncovered, spanning more than ten million devices.

The story has not resolved. Despite disruption efforts, including a Google lawsuit and ongoing law enforcement attention, reporting as recently as April 2026 found infected TV boxes still openly for sale on major platforms including Amazon, Walmart, and Best Buy. The economics of the cheapest end of the streaming-device market continue to reward the practices that make BadBox possible. A consumer buying a $30 streaming box has no practical way to know whether it shipped with malware baked in. We examined this at length in our earlier coverage of how 10 million smart TVs became part of history’s largest botnet.

The two stories — Aisuru and BadBox — bracket the IoT threat from both ends. One shows what happens to devices that owners fail to secure. The other shows that even a diligent owner cannot fully secure a device that arrived compromised. Both point at the same root cause: a market that, until now, has faced no consequences for shipping insecure connected hardware.

The Steady Drumbeat of Device Flaws

Beneath the record-setting headlines runs a constant background rhythm: the steady disclosure of serious vulnerabilities in the connected devices people already own. The spring of 2026 was particularly active.

In March, TP-Link patched four high-severity flaws in its Archer NX router line, including an authentication bypass — CVE-2025-15517 — that lets an unauthenticated attacker upload firmware and take full control of the device, paired with a hardcoded cryptographic key in CVE-2025-15605. We broke down exactly what those flaws allow in Patch Now: TP-Link Archer NX Routers Can Be Fully Taken Over. The same season brought new Mirai and Gafgyt variants exploiting old, unpatched router flaws — including the C0XMO botnet leveraging a DD-WRT vulnerability that was disclosed back in 2019 and is still being exploited in 2026 because so many devices were never patched. Earlier in the year, the wolfSSL library vulnerability CVE-2026-5194 was reported to affect billions of devices including routers, IoT gadgets, and even military systems.

The pattern across all of these is consistent and it is the central problem of consumer IoT security: vulnerabilities get disclosed and patched, but a large fraction of devices in the field never receive the patch, because consumer hardware does not update itself the way modern phones do, and most owners do not know an update exists. Those unpatched devices become the permanent standing inventory from which the next botnet is built. A flaw from 2019 is still being exploited in 2026 not because it is unfixed, but because the fix never reached the devices.

The Regulatory Clock Is About to Start

The most consequential development of mid-2026 is not an attack at all. It is a deadline. On September 11, 2026 — now less than 100 days away — the European Union’s Cyber Resilience Act begins enforcing mandatory vulnerability reporting. Any manufacturer selling a connected device into the EU market will be required to report actively exploited vulnerabilities within 24 hours, follow up with full technical detail within 72 hours, and file a final report within 14 days. Non-compliance can draw fines of up to €15 million or 2.5% of global annual turnover, with full application of the regulation’s secure-by-design and update obligations arriving in December 2027.

This matters far beyond Europe. Manufacturers generally build to the strictest applicable standard rather than maintaining separate product lines per region, so CRA-driven security practices are likely to become the global default — the same way GDPR reshaped privacy practices worldwide. The cheapest, most disposable end of the connected-device market, the segment that produces both the Aisuru fodder and the BadBox boxes, is precisely what the combination of the CRA’s reporting obligations and its 2027 conformity requirements is designed to push out. We laid out the full picture in The 24-Hour Clock Starts September 11.

It is worth being clear-eyed about timing. The CRA will not clean a single infected router, and it will not retroactively secure the devices already in homes. Its effects are structural and they will accumulate slowly over the coming years. But for the first time, the underlying incentive that has driven a decade of insecure connected hardware — the fact that shipping insecure devices and staying silent about their flaws carried no cost — is being changed by law.

What This Means for Your Home

The throughline of every one of these stories is the same, and so is the response. The threats are large, industrialized, and largely automated, but the defenses that keep your devices out of them are ordinary and within your control.

Change default passwords on every connected device, especially your router, cameras, and DVRs. Keep firmware up to date and turn on automatic updates wherever the option exists — this single habit defends against the largest category of device-flaw exploitation. Do not expose device management interfaces to the internet; disable remote administration unless you have a specific reason to need it. Buy from manufacturers that publish a security contact and commit to providing updates, and treat the cheapest no-name connected hardware with the skepticism its track record has earned. Segment your IoT devices onto a separate network from your computers and phones to limit the damage if any single device is compromised. And retire devices that no longer receive security updates, because an unsupported device’s vulnerabilities are permanent.

None of this is new advice, and that is precisely the point. The attacks keep setting records, the malware keeps evolving, and the regulators are finally moving — but the devices being swept into these botnets are, overwhelmingly, the ones whose owners did none of the basic things. The threat landscape of mid-2026 is more extreme than ever. The path to staying out of it has barely changed at all.

Sources