[0xbadc0de5]

Just a few thoughts on this. IoT is a very wide category of devices. The results will vary widely depending which sub-category a particular IoT attacker finds themselves with access to. As a generalization, attackers may be grouped into two categories, professional and amateur. A professional would be looking to monetize access whereas an amateur is seeking access for other reasons (voyeurism, technical challenge, etc). Of course, the categories can be made more or less granular - this is just to highlight that when discussing results, it is helpful to consider attacker motivations. Take the case of an IoT camera, for example. From an attacker perspective, an IoT camera offers two points of interest: broader access to the local network (ie: as a jumpbox), use as a bot in a botnet (which is directly monetizable), and voyeuristic access (that may be further leveraged for monetization). However, a consumer broadband router is a better suited target for both local access and botnet use due to both its position at the network gateway and its typically higher processing resources. But IoT is not limited to consumer devices - industrial control systems (automation, HVAC, etc), telecom (ie: cell towers), civic services (traffic lights, water treatment), payment processing (ATMs, PoS, etc), heavy equipment (mining, farming), etc, etc, all fall into the category of connected "things". The attack surface on any particular device will vary widely in each of these and the risks depend largely on the attacker motivations - an amateur who finds themselves with coincidental access to an electrical sub-station would arguably pose less risk than a nation-state attacker with targeted access.