How devices get hijacked vs. the Afero architecture — two doors, both sealed

The Wall Street Journal recently published a major investigation into hijacked smart-home devices that power large-scale cyberattacks. An estimated 20 million compromised home devices exist in the U.S. alone, quietly conscripted by criminals who route attacks through them while the owner unwittingly takes the blame.

We power tens of millions of connected household devices, so we want to add our perspective.

Creating a coordinated attack is simple

Residential proxy networks and botnets are easy to deploy because laundering criminal traffic through a home internet connection is a trivial network operation. So is flooding a target offline. A bare, simple microcontroller inside a smart lightbulb does both well. Computing power is not the constraint.

The attacks emanate from exactly where most people would assume they are not: the smallest, cheapest, most numerous low-powered devices. Billions of always-on, connected products ship without a security architecture, and they are ripe for conscription.

It only takes one of two doors left open

Attackers can get in through one of two openings:

Unsigned code. Malicious software is inserted at the factory or pushed as a fake update or app, and the device runs it because it cannot verify the source. The device is compromised before the consumer plugs it in. This is the WSJ's subject: streaming boxes and picture frames shipping with pre-installed proxy software, and the same code can be hidden in apps and pirated games. The FBI's BADBOX 2.0 advisory and Germany's BSI tracking of the 'Vo1d' botnet (1.3 million Android streaming devices) describe the same pattern.

Open ports. A device with open ports listens for incoming connections, and attackers scan the internet for whatever ports they can find. The problem is that most cheap devices sit on the internet with every door open. This is the classic Mirai-style botnet path behind most DDoS.

Close both doors, and the conscription playbook fails. Not "becomes harder." Fails.

How Afero closes those two doors

Several mechanisms in the Afero architecture work together to prevent conscription at the source:

Hardware root of trust. Every Afero-powered device gets a unique cryptographic identity at the time of manufacture, secured in silicon. Keys cannot be extracted or cloned, even by an attacker holding the device.

Signed code only. Every piece of software that is attempted to be uploaded to the device is cryptographically verified against those hardware-protected keys. Code injected at the factory or pushed as a fake update simply will not execute. One door closed.

No open ports. Devices call out to the Afero Service. Nothing calls in. Scans find no surface to exploit. Another door closed.

Secure provisioning. Identity and credentials are written before the device leaves the factory. The unsigned-code door stays closed through the supply chain.

End-to-end encryption. Device to cloud, cloud to app, app to device. Every path is encrypted and authenticated.

The WSJ investigation is about the unsigned-code door: backdoor software pre-installed on streaming boxes and picture frames, and the same code sneaked into apps and pirated games. Signed-code enforcement, anchored in the hardware root of trust and locked in by secure provisioning, closes that door before the device leaves the factory. The other door (open ports) is closed too, which covers the older Mirai-style botnets.

What this means if you are building connected products

Your product's security posture is your brand's security posture. The costs of getting it wrong do not stop at a tarnished reputation:

Returns and RMAs when conscripted devices go slow, flaky, or brick.

Support load from customers asking, "Is this thing hacked?"

Retailer shelf risk as channels increasingly screen the security of what they stock.

Regulatory and liability exposure when breach incidents draw legal and governmental attention.

Distrust-driven returns when working devices come back because a customer saw your brand in a security story.

Lasting review damage from a single botnet story naming your product. This is the cost that does not go away when the news cycle does.

Per-unit savings from a cheaper, less secure platform evaporate against any one of these. Against all of them, the savings are replaced by something much more durable: brand damage that outlasts the news cycle.

The compliance trajectory makes this urgent

The U.S. Cyber Trust Mark, the EU Cyber Resilience Act, and the UK PSTI regime converge on a single requirement: security designed in at the time of manufacture, not bolted on at the end. Whether your product clears that bar is decided at chip and platform selection, long before certification.

Afero powers tens of millions of connected devices, including those behind The Home Depot's Hubspace ecosystem, built so they cannot be structurally conscripted. When the doors do not exist, nothing can enter.