The family had done everything right. The work laptop ran Windows Hello. Two-factor authentication protected every account that mattered — Google, banking, the client's project portal. BitLocker was on. The router used WPA3. On paper, the Murrays — a couple outside Columbus, Ohio, with two teenage kids — had a locked-down household.
What they didn't have was a plan for the smart TV.
The scenario
Marcus Murray runs a consulting business from his home office. His wife Carla manages the household. Their son Aiden, 14, has a school-issued Chromebook with monitoring software. Their daughter Mia, 16, built her own gaming desktop — she handles her own security hygiene better than most adults.
Marcus travels for work. When he's on the road, the home network is the only security perimeter between the family's digital life and everything else.
The router was a TP-Link Archer AX20, purchased in 2019. It had never been firmware-updated. The smart TV was a Vizio 55-inch from 2021, and it hadn't received a software update since the second year of ownership. The Amazon Echo in the kitchen came with the house when they bought it — nobody had ever changed its default settings.
None of these devices were obviously misconfigured. They just existed, phoning home to servers nobody audited, on the same local network as Marcus's work laptop and Mia's gaming rig.
The breach started quietly.
Marcus returned from a two-week trip on a Wednesday. He opened his work laptop, connected to the company VPN, entered his password and MFA code, and walked to the kitchen while it loaded.
In those forty seconds, the smart TV — running an outdated version of Vizio's platform — reached out to an external server. It wasn't attacking anything. It was making a routine call home, a behavior indistinguishable from normal operation. The router's firmware was from 2019. It had no inspection capability for outbound IoT traffic.
By the next morning, the router's DNS configuration had been altered. A small change, invisible without logging in to the admin panel — which Marcus had never done. By Thursday, the TV was communicating with a server in Eastern Europe. By Friday, an attacker had a foothold on the home network and was watching the traffic flowing through it.
The work laptop was never directly compromised. The VPN never failed. The 2FA held. The attacker didn't need any of it — they had the network.
How it works
Smart TVs, streaming devices, and consumer routers run embedded Linux or Android variants that receive infrequent security updates. Most don't update automatically. Many don't notify the user when updates are available. The firmware lives where it was installed, unchanged, often for years.
The attack surface is real. F5 Labs reported a 91% increase in router-targeted vulnerability scans in 2024, with 42% of all CVE-related traffic aimed at routers and IoT devices — not because routers are uniquely broken, but because they're the single point of entry for an entire network, and most of them never get patched.
Streaming devices and smart TVs account for over a quarter of all detected security flaws in the average home. Smart TVs followed at 21%. CISA has added multiple D-Link and Edimax IP camera vulnerabilities to its Known Exploited Vulnerabilities catalog — meaning they're being actively exploited in the wild, not just theorized.
A compromised TV doesn't need to be the target. It just needs to be a listening post on the same network as devices that are. Once it has a foothold, it logs unencrypted traffic, captures authentication tokens from devices that don't enforce certificate pinning, and forwards everything to an external server. The router, designed for throughput not inspection, lets it happen. The smart TV, designed for convenience not security, doesn't know it's a vessel.
The FBI has warned explicitly: "A bad cyber-actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router."
That backdoor doesn't close on its own.
Why families, specifically
Enterprise networks are segmented. IoT devices live in their own VLAN, firewalled off from workstations. Endpoint detection runs on every machine. Routers receive firmware updates as part of a change management process. If an IoT device is compromised in an enterprise environment, lateral movement is blocked by design.
Home networks weren't designed for this. The average connected household now carries 22 internet-connected devices — each one a potential entry point, none of them updated reliably. The router that connects them was built to share bandwidth, not to enforce trust boundaries.
The consequence is that a household where every laptop is locked down and every important account has 2FA can still be fully compromised through the refrigerator's unpatched firmware and the TV's outdated operating system. The family's security posture is determined by its weakest link, and that link is never the device someone thinks about.
The Raptor Train botnet case illustrates the scale. In 2024, a botnet made up of over 200,000 compromised SOHO routers and IoT devices — many of them end-of-life and no longer receiving patches — was operated by a company assessed by the FBI to be acting on behalf of Chinese state hackers. The devices weren't targeted individually. They were scanned, compromised at scale, and added to a botnet used to mask the origin of further attacks. Most of the owners had no idea.
That's the consumer reality. The gap between what households think their security posture is and what it actually is runs through the firmware update that never happened.
What would have tipped off a vigilant household
The router's admin panel showed a DNS configuration the family didn't set. That's a canonical sign of a compromised router — DNS changed to a server controlled by the attacker means all traffic can be redirected.
The smart TV's traffic pattern changed subtly. Smart TVs make regular calls to a manufacturer's server — but if the frequency, timing, or destination changes, it's worth noting. Without network monitoring tools, this is nearly impossible to catch in real time.
The router's firmware was years out of date. NSA guidance recommends regular reboots and firmware updates as a baseline defense. The Archer AX20 had received its last update in 2021. TP-Link had issued newer firmware that patched known vulnerabilities. The update never happened.
The Echo still used its factory default credentials. Nobody had changed them. Most IoT devices that get compromised in bulk attacks are compromised via default credentials — the attacker doesn't need a sophisticated exploit when "admin / admin" still works.
Each of these signals is invisible without someone looking. That's the nature of the threat: it operates below the threshold of normal household awareness.
What a household can do
The honest answer is that this is more complex than it should be, and anyone who tells you otherwise is selling something.
Change the router admin password. This alone eliminates the most common attack vector against consumer IoT devices. Most compromises begin with credentials that were never changed from the factory default.
Update router firmware. Most routers require manual firmware updates — there's no automatic mechanism, and the interfaces are often buried. If a manufacturer has stopped supporting a model, that device should be replaced. End-of-life means end-of-patches; any vulnerability discovered after the last update is permanent.
Use a guest network or VLAN for IoT devices. Put the smart TV, the Echo, and anything that doesn't need to communicate with other devices on a separate network segment. This won't stop a determined attacker, but it blocks the opportunistic lateral movement that most consumer compromises rely on.
Disable UPnP on the router. Universal Plug and Play is a convenience feature that lets devices punch holes through the firewall to accept incoming connections. It was designed before this threat landscape existed. Turning it off is one of the highest-signal, lowest-complexity changes available.
Replace devices that have reached end-of-support. When a manufacturer stops releasing firmware updates for a device, the window stays open indefinitely. This is a hardware problem that no amount of password hygiene can solve.
None of this is intuitive. Most of it requires a level of network knowledge that the average household doesn't have and shouldn't need to develop. The reason it doesn't get done is that the risk is invisible until it isn't.
What SafeHaven does about it
The Guardian watches this layer so the household doesn't have to.
During intake, a home network baseline audit identifies what's connected and flags what matters. The router's firmware status. The age of each IoT device. Whether the router supports guest network isolation and whether it's enabled. The inventory is specific to that household, not a generic security checklist.
Outdated firmware gets flagged. The Guardian walks the household through updating it — not with a link to a generic support page, but with specific step-by-step instructions for their router model. This gets done, because someone is making it happen.
IoT device behavior is monitored for the small disturbances that precede a real intrusion: a new DNS server that wasn't there before, an IoT device suddenly initiating connections to external IPs it hasn't touched in months, unexpected open ports on the router admin panel. These are the things that don't show up in a password manager or a 2FA setup, but they're the actual first signals of an intrusion.
Ongoing coverage includes a rolling assessment of the IoT attack surface — flagging devices that reach end-of-life status, tracking new device additions to the network, monitoring for the behavioral drift that a passive household would never detect.
The goal isn't to turn the Murrays into network engineers. It's to be the person who checks the things they'd never think to check, so that when a smart TV with three years of unpatched firmware sits on the same network as a work laptop, someone notices.
The attack surface isn't your password. It's the device nobody thinks about.
The Murrays didn't get compromised because they were careless. They got compromised because the smart TV had been quietly vulnerable for three years, the router's firmware update button sat there unclicked, and nobody had any reason to look.
That version of the story — uneventful, invisible, unremarkable — never makes the news. The version that does make the news involves the work laptop, the VPN, the client portal. People talk about how the 2FA failed or the VPN was compromised. The smart TV's unpatched firmware from 2021, sitting silently on the same network, gets a footnote.
The Guardian knows which door was actually unlocked.
Sources
- FBI — "Home Internet Connected Devices Facilitate Criminal Activity," 2025 — public advisory on IoT botnets exploiting home networks. fbi.gov
- CISA + FBI — "Defending Against China-Nexus Covert Networks of Compromised Devices" — Raptor Train botnet, 200,000+ devices, end-of-life SOHO routers and IoT. cisa.gov
- NETGEAR + Bitdefender — "2025 IoT Security Landscape" — 22 connected devices per household on average; 29 attacks per home per day; streaming devices and smart TVs account for 26% and 21% of detected security flaws respectively. netgear.com
- F5 Labs — "Hidden Security Risks Inside Smart Home Hubs and Routers" — 91% increase in router-targeted vulnerability scans in 2024; 42% of CVE-related traffic aimed at routers and IoT devices. totaldefense.com
- CISA — Known Exploited Vulnerabilities catalog — multiple D-Link and Edimax IP camera vulnerabilities confirmed in active exploitation. cisa.gov
- FBI Portland Field Office — Consumer advisory, smart TV security — "A bad cyber-actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router." fbi.gov
More Reading