From TP-Link to Shadow IoT: Unmanaged Devices Are Expanding Your Attack Surface

The U.S. government is considering a ban on TP-Link routers, citing security flaws and ties to China. This echoes the restrictions already in place under Section 889 of the National Defense Authorization Act (NDAA), which prohibits federal agencies and contractors from using equipment from certain Chinese manufacturers like Huawei and ZTE due to national security concerns. 

But this issue extends far beyond compliance with government regulations. It’s a wake-up call for enterprises everywhere about how unmanaged, consumer-grade devices like TP-Link routers — commonly found in SOHO (Small Office/Home Office) environments — are reshaping cybersecurity. Whether it’s a TP-Link router or another shadow IoT device, these unmanaged assets are often hidden in your network, creating blind spots that attackers can exploit. 

According to Ordr’s latest Rise of the Machines report, 42% of enterprise assets are classified as agentless, and the average network contains over 50 high-risk or even banned devices. These unmanaged devices blur the lines between personal and corporate environments, expanding the attack surface in ways most organizations aren’t prepared to address. 

As these assets proliferate, enterprises must confront the risks they bring — not just for compliance, but for the security of their entire network. Let’s explore the dangers of shadow IoT and how you can take back control. 

The Enterprise Risks of Shadow IoT SOHO Devices

The risks posed by SOHO devices are no longer theoretical. A recent Microsoft report revealed how TP-Link routers have been exploited in botnet operations and password-spraying attacks. Similarly, Ordr’s analysis of Volt Typhoon tactics showed how nation-state actors specifically target SOHO devices as entry points into enterprise environments. 

The blending of personal and corporate environments only increases these risks. Here’s a breakdown of the top threats these devices pose: 

Poor Device Security

Shadow IoT devices, like SOHO routers and IP cameras, often lack basic security measures such as encryption or segmentation. Attackers exploit these gaps to gain unauthorized access. Devices designed for consumer use — like gaming consoles and smart TVs — frequently connect to enterprise systems, creating significant vulnerabilities. When we put together Rise of the Machines, we found these assets and more within most enterprises. 

Facilitating Lateral Movement

Once attackers infiltrate a shadow IoT device, they often use it as a springboard for lateral movement. With 31.6% of agentless devices communicating internally and 35.7% connecting externally, according to Rise of the Machines, these devices create pathways for attackers to spread across your network. This connectivity dramatically increases the blast radius of any successful attack, making containment even more difficult. 

Extending Response Times 

The lack of visibility into shadow IoT devices significantly delays breach detection and response. As highlighted in IBM’s 2024 Cost of a Data Breach Report, unmanaged devices contribute to a 26.2% longer breach identification time and a 20.2% longer containment time. These delays can mean the difference between a manageable incident and a catastrophic breach. 

The Path Forward for Enterprises

Managing the risks posed by SOHO devices and shadow IoT doesn’t have to feel overwhelming. By taking a strategic, step-by-step approach, you can significantly reduce your exposure. Here’s how: 

Discover and Classify All Devices

Not only is identifying devices crucial for security, but it’s also a compliance imperative. Tools like Ordr’s asset discovery solutions can help organizations pinpoint SOHO and shadow IoT devices, ensuring compliance with regulations like Section 889 while addressing broader cybersecurity risks. 

Assess and Address Risks 

Once devices are identified, prioritize addressing the highest risks. Apply patches and updates where possible. For unpatchable devices, use compensating controls like firewalls, access restrictions, and real-time monitoring to mitigate threats. 

Monitor and Respond to Anomalies

Continuous monitoring is key to staying ahead of attackers. Track device activity in real time and set up alerts for unusual behaviors, such as unexpected external communications or lateral movement within the network. 

Enforce Zero Trust to Contain Risks

Adopt Zero Trust principles to minimize access for shadow IoT devices. Microsegmentation and least-privilege access policies ensure that every connection is verified, reducing the likelihood of an attacker moving freely within your network. 

Securing Shadow IoT in an Interconnected World

The TP-Link news is a stark reminder of the risks posed by SOHO devices and unmanaged assets. These aren’t just security vulnerabilities — they’re also compliance risks. Regulations like Section 889 of the NDAA, which bans certain Chinese-manufactured equipment from federal networks, highlight the increasing scrutiny on unmanaged devices. Enterprises need to address these challenges proactively, not just to secure their networks but to avoid potential regulatory fallout. 

Shadow IoT devices, like TP-Link routers and other SOHO hardware, continue to blur the line between personal and corporate environments. Nation-state actors, such as those behind Volt Typhoon, exploit these unmanaged devices as entry points into enterprise systems, creating blind spots that attackers use to infiltrate, spread laterally, and delay breach responses. 

To stay ahead, enterprises must take action: uncover unmanaged devices, assess their risks, and implement controls to mitigate them. Tools like Ordr can help bridge the gap between compliance and robust security. 

To learn more about managing shadow IoT and agentless devices, check out our Rise of the Machines report or explore our Volt Typhoon analysis for actionable insights. Don’t let shadow IoT leave your organization exposed.