Every day there are new vulnerabilities exposed and this "malicious knowledge" can be used by anyone how take the trouble to read about it. The tech news sites are full with "Millions of devices open to attack due to…" articles. In the most of the cases the security/pent-testes sites (e.g.: insecure.org/news/fulldisclosure/, exploit-db.com) are providing Proof of Concept (PoC) codes to let anyone to test the problem on a device of choice. On the other hand there are multiple sources and services that scan the whole Internet on daily basis (e.g.: Shodan HQ, Censys.io) and can be queried for a list of dedicated devices. For example the ones are involved in the last flaw and which are almost sure not patched immediately after the release. Poor criminal just has to use these free sources to build a their own botnet, to collect sensitive user data, to cover their malicious network activities… and whatever the devices providing for them for free.
In my research I developed a testing system (a framework), which can be feed with weaknesses with PoC codes and query stings to find the devices that could be good "candidate" for the exploit. With this framework I can test the devices (in wild range of IPs) and collect the result of these tests easily. By this approach, we 1) will have an exact list about the devices we cannot trust. Because we cannot know who is behind there vulnerable devices (the real own, a hacker, a botnet...or even NSA :) ergo cannot trust on them. The second benefit of this research is that we have exact info about the "status" of the IoT and network devices. How many are outdated, using old firmware with known vulnerabilities, how many has default credential and so on.