The Federal Bureau of Investigation issued a public service announcement on June 5, 2025, warning that cybercriminals are actively exploiting everyday smart home devices to conduct illegal operations. The alert singles out a specific threat, the BADBOX 2.0 botnet, and identifies products most consumers would never suspect as security risks: TV streaming boxes, digital picture frames, digital projectors, and even vehicle infotainment systems. The warning arrives as the number of Internet-connected gadgets in American homes continues to climb, raising the stakes for anyone who plugs in a new device without thinking twice about its security.
According to the FBI, the BADBOX 2.0 campaign is part of a broader pattern in which low-cost, Internet-connected electronics are preloaded with or later infected by malicious software that quietly enlists them in criminal schemes. Many of these devices are marketed primarily on price and convenience, with little transparency about how long they will receive security updates or whether their default settings are hardened against basic attacks. The result is a shadow network of compromised gadgets that can be steered by criminals with little risk of detection, while unsuspecting owners continue using them for everyday tasks like streaming movies or displaying family photos.
How BADBOX 2.0 Turns Your Gadgets Against You
The FBI’s latest alert describes a specific mechanism behind the threat. Cybercriminals are using the BADBOX 2.0 botnet, a successor to the original BADBOX operation, to hijack consumer Internet of Things devices and press them into service for criminal activity. Once a device is compromised, attackers can route their traffic through it using residential proxy services, effectively masking illegal operations behind a homeowner’s IP address. That means a family’s streaming stick or digital photo display could be relaying data for fraud rings, spam campaigns, or worse, all without any visible sign of trouble.
The devices flagged in the announcement are not high-end computers or enterprise servers. They are the kind of low-cost, often off-brand electronics that consumers pick up without much scrutiny. TV streaming devices, digital projectors, and vehicle infotainment systems all made the FBI’s list. The common thread is that these products frequently ship with outdated software, weak default credentials, or firmware that never receives security patches. That combination creates an easy entry point. Attackers do not need to trick the user into clicking a malicious link; the device itself can be exploited as soon as it connects to a home network, quietly transforming it into infrastructure for someone else’s crime.
The Threat Goes Beyond Data Theft
Most coverage of IoT security focuses on stolen passwords and personal data, and those risks are real. The FBI’s Internet Crime Complaint Center warned as far back as 2017 that compromised smart devices enable criminals to facilitate attacks on other systems, steal personal information, send spam emails, and conscript devices into distributed denial-of-service attacks. But the risk profile extends further than many people realize. The same advisory noted that compromised IoT devices can interfere with physical safety, a category that covers everything from smart locks that can be remotely disengaged to baby monitors and cameras that can be accessed by unauthorized users, potentially allowing intruders to monitor a household’s routines.
A separate FBI explainer on IoT security spells out how a single weak device opens the door to an entire household’s digital life. When an attacker gains control of one gadget, they can use it for lateral movement into the broader home network, reaching laptops, phones, and any other connected equipment. That lateral access enables theft of personally identifiable information and credentials stored on other devices. The practical result is that a compromised thermostat or webcam is not just a privacy nuisance; it is a beachhead. The FBI has listed thermostats and other smart devices among the common household IoT categories that carry this risk, and each one represents a potential network entry point that can be abused for long-term surveillance or financial fraud.
Every New Device Widens the Attack Surface
The math behind the threat is straightforward: every connected device added to a home or business network is another opportunity for hackers to break in. Washington state’s Office of Cybersecurity, echoing FBI guidance, has warned that each connected device represents an opportunity for attackers, and that compromised gadgets can cause business Internet connections to run slow as they are quietly drafted into botnets or proxy networks. The problem scales with adoption. As households add smart speakers, connected appliances, and wearable devices, the total number of potential weak points grows accordingly, and the likelihood increases that at least one poorly secured product will be present on the network.
The FBI and the Cybersecurity and Infrastructure Security Agency have also signaled concern about a related problem: devices that reach end-of-support status and stop receiving security updates altogether. A joint advisory from both agencies addresses the need to reduce the attack surface for end-of-support edge devices, which can maintain a persistent network presence and compromise sensitive data long after the manufacturer has moved on. This is a blind spot that many consumers share: the assumption that a device is safe simply because it still powers on. In practice, an unpatched smart TV from three years ago may be more vulnerable than a brand-new one, and most owners have no easy way to check whether security fixes are still being delivered or if the product has quietly aged out of protection.
Can a Label Fix the Problem?
The U.S. government has begun rolling out a response aimed at the consumer side of the equation. The U.S. Cyber Trust Mark is a labeling program designed to help shoppers identify IoT products that meet baseline security standards. According to The Associated Press, the program covers device categories including baby monitors, cameras, and appliances, and it reflects regulators’ recognition that consumer purchasing decisions can either reward or penalize manufacturers for their security practices. The idea is that a clear, recognizable logo on the box will signal that a product has met specific criteria for secure development, default settings, and update commitments.
Labels alone, however, cannot fully solve the problem that BADBOX 2.0 highlights. Many of the riskiest devices are inexpensive imports or white-label products that may never seek certification, and even labeled products can become vulnerable if owners fail to apply updates or change default passwords. Earlier FBI guidance on cybercrime trends has emphasized that criminals are quick to exploit the easiest available weaknesses, whether that means poorly secured consumer gadgets or outdated business systems, and that users must pair better products with better habits. In practice, that means checking for security features before buying, keeping firmware current, disabling unused services, and replacing devices that no longer receive patches, even if they still seem to work.
What Consumers Can Do Right Now
While the BADBOX 2.0 botnet underscores systemic issues in how smart devices are built and sold, the FBI’s messaging also stresses practical steps that individuals can take immediately. The Bureau encourages users to change factory-set passwords, enable automatic updates where possible, and segment their home networks so that high-risk gadgets like streaming boxes and cameras are isolated from laptops and work devices. The agency’s broader cybercrime outreach, including alerts and public service announcements shared through channels like the FBI’s email subscription service, is meant to keep both consumers and small businesses informed as new threats emerge and known botnets evolve.
For anyone who suspects their devices may already be compromised, federal guidance recommends watching for unusual behavior such as unexplained spikes in data usage, sluggish Internet performance, or settings that change without user input. Past advisories from the Internet Crime Complaint Center have also urged victims of cyber-enabled crime to preserve logs, screenshots, and other evidence and to report incidents promptly so investigators can spot patterns and warn others. In one earlier bulletin, IC3 highlighted how botnets and related schemes can inflict financial losses that are difficult to recover without timely reporting, reinforcing the idea that vigilance and quick action are part of effective defense.
The FBI’s June 2025 warning about BADBOX 2.0 closes with a reminder that no single step, whether a new label, a firmware patch, or a router upgrade, will eliminate the risk on its own. Instead, the Bureau urges the public to combine careful purchasing decisions, ongoing maintenance, and prompt reporting if something seems wrong. In its public guidance on BADBOX 2.0, the agency frames this as a shared responsibility between manufacturers, service providers, and end users. As smart devices become more deeply woven into daily life, that shared responsibility may be the only realistic way to keep the conveniences of a connected home from becoming cover for someone else’s crime.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
