Lucas Lundgren sat at his desk as he watched prison cell doors hundreds of miles away from him opening and closing. He could see the various commands floating across his screen in unencrypted plain text.

"I could even issue commands like, 'all cell blocks open'," he said in a phone call last week. Without being there, he couldn't know for sure if his actions would've had real-world consequences. "I'd probably only know by reading about it in the newspaper the next day," said Lundgren, a senior security consultant at IOActive. It's because those cell doors are controlled by a little-known but popular open-source messaging protocol known as MQTT.

Your Roomba may be vacuuming up more than you think. High-end models of Roomba, iRobot’s robotic vacuum, collect data as they clean, identifying the locations of your walls and furniture.

This helps them avoid crashing into your couch, but it also creates a map of your home that iRobot is considering selling to Amazon, Apple or Google. Colin Angle, chief executive of iRobot, told that a deal could come in the next two years, though iRobot said in a statement on Tuesday: “We have not formed any plans to sell data.” In the hands of a company like Amazon, Apple or Google, that data could fuel new “smart” home products.

The security woes of the internet of things stem from more than just connecting a bunch of cheap gadgets to a cruel and hacker-infested internet. Often dozens of different vendors run the same third-party code across an array of products.

That means a single bug can impact a startling number of disparate devices. Or, as one security company's researchers recently found, a vulnerability in a single internet-connected security camera can expose a flaw that leaves thousands of different models of device at risk. On Tuesday, the internet-of-things-focused security firm Senrio revealed a hackable flaw it's calling "Devil's Ivy."

Security researchers have discovered a number of vulnerabilities in an internet-enabled burglar alarm that could see the device being remotely switched off by an attacker.

According to a blog post, Ilia Shnaidman, head of security research at Bullguard, said that the discovery of multiple flaws in iSmartAlarm is another example of a poorly engineered device that offers attackers an easy target. The device, said Shnaidman, has flaws that can lead to full device compromise. The cube-shaped iSmartAlarm provides a fully integrated alarm system with siren, smart cameras and locks. 

Smart-home controllers from German company AGFEO have adopted best practice internet things security by offering an unsecured Web admin interface. The now-patched attack vectors included unauthenticated access to some services, authentication bypass, cross-site scripting (XSS) vulns, and hard-coded cryptographic keys.

The bugs were discovered by SEC Consult, and landed on Full Disclosure after the vendor finally released an update. The AGFEO ES 5xx and 6xx firmware has three certificates with their associated private keys, which would ultimately let an attacker get administrative credentials and do as they pleased.

Google’s thesis to the automotive industry came packaged in a red glinting Maserati Ghibli. The luxury sedan, parked outside last year’s Google I/O developer conference, might have looked like just another sports car — a ubiquitous sight in Silicon Valley. 

But what was inside captured the interest of automakers. And now, some automakers are buying into what they found, despite long-held fears of giving up too much control to outsiders like Google. “The traction we’re seeing in the car space is just ridiculous,” Patrick Brady, vice president of engineering for Android, told. “It’s surprising even to us and has caught us off guard.”

Security researchers have discovered a new Internet of Things botnet dubbed Persirai targeting more than 1,000 different Internet Protocol camera models. Around 120,000 IP cameras are vulnerable to the malicious malware with many unsuspecting owners unaware that their devices are exposed to the internet.

The researchers said this makes it easier for the attackers behind the new malware to infiltrate the IP camera's web interface via TCP Port 81. Once a hacker logs into the vulnerable device's interface, the attacker can then perform a command injection to force the IP camera to connect to a download site to issue commands that download and execute malicious shell scripts.

A hacker called The Janitor has created multiple versions of a program called BrickerBot, a system that searches out and bricks insecure IoT devices. A researcher named Pascal Geenens has followed the worm for a few weeks and has seen it pop up and essentially destroy infected webcams and other IoT devices.

The devices all used a Linux package called BusyBox and had exposed telnet-based interfaces with default passwords. These devices were easily exploited by the Mirai botnet, which essentially turned them into denial-of-service weapons. BrickerBot finds these devices and renders them unusable.

Hajime the IoT worm that's supposedly trying to block rival botnets, including the famous and mighty Mirai, has reportedly compromised some 300,000 devices already. The data shows the impressive magnitude of this worm that was apparently built by a vigilante white hat.

The rapidly spreading IoT worm fights against the likes of Mirai for control of the products, closing off some ports that are normally exploited by it. While this is great news, it's still a worrying fact that such a worm is spreading so fast because the code allows the creator to change its purpose quite easily. This means the hacker has the ability to go from white hat to black hat.

Malware which targeted IoT devices was doing more than launching DDoS attacks, researchers discovered, but they question how effective it would be. Security researchers have unearthed code in a Mirai botnet enabling it to mine for bitcoins using IoT devices.

Researchers at IBM's X-force found late last month the functionality in a variant of the ELF Linux/Mirai malware. The bitcoin attack started on 20 March, peaking on 25 March, but three days later the activity subsided. What the researchers found in a sample of the code was the same Mirai functionality ported over from the Windows version but with a focus on attacking Linux machines running BusyBox.