This talk will outline our research on smart car alarms, solar inverters, car chargers and watches showing critical systemic IoT flaws that allowed trivial access to hundreds of millions of devices. Issues range from zero authentication, to the complete absence of proper authorization checks. Also, the use of numeric identifiers makes pwning some IoT platforms as easy as counting. We’ll discuss how the rush-to-market attitude means that corners are cut with IoT security, and how that introduces multiple Break-Once-Own-Everything vulnerabilities, and how that compares (poorly) with the wider mature web application market. (Mobile & IoT, Security, Vision & Strategy, Ken Munro)