Is Your Business at Risk from Home Workers?

Remote and hybrid working are now standard practice for many organisations, yet home networks remain one of the least controlled and least understood parts of the corporate attack surface.

In this article, our Technical Director Dave Sample examines the growing risks within these environments and their impact on modern cyber security.

While businesses invest heavily in securing their own infrastructure, the home environments of employees often contain vulnerable IoT devices, outdated software, insecure applications, and consumer-grade routers that were never designed with enterprise security in mind. These weaknesses present real opportunities for attackers to compromise domestic devices, steal credentials, and pivot into corporate networks through remote access technologies.

If your organisation relies on home working, your security posture is only as strong as the least secure device on an employee’s home network.

Are Your Employees’ Home Networks Putting You at Risk?

As home working has become the norm, companies must consider a difficult question: how confident are you that the devices on your employees’ home networks are not exposing your business to unnecessary risk?

It is easy to assume that staff behave responsibly, avoid illegal or risky content, and maintain their home devices properly. Unfortunately, the reality is often very different. Many households contain a mixture of outdated IoT devices, poorly secured routers, children’s entertainment gadgets, gaming consoles, and streaming devices that are rarely patched or monitored. Any one of these can provide a foothold for an attacker.

The Hidden Risks of Home Streaming Devices

Devices such as Amazon Firesticks, Android televisions, and other smart entertainment platforms are frequently modified or jailbroken to install IPTV apps that provide access to unlicensed content. These apps are often downloaded from unofficial repositories, bypassing the security checks carried out by legitimate app stores.

This creates several significant risks:

• Unverified apps may contain embedded malware.
• Malware can enable further sideloading of malicious software.
• Compromised devices may be used as residential proxies, routing criminal or malicious internet traffic through an unsuspecting user’s home network.
• Attackers may use these devices as a foothold for reconnaissance and lateral movement.

Amazon has taken steps to address this with its new Vega OS, which improves security on the latest Fire TV Stick 4K models. However, with tens of millions of legacy devices still in circulation worldwide, the broader risk remains substantial.

Real-World Examples: Badbox and Beyond

In early 2025, the second iteration of the Badbox operation was publicly disclosed. This large-scale botnet campaign infected Android TVs, tablets, and various IoT devices. Once compromised, these devices were used to create a vast network of residential proxies, enabling threat actors to disguise their traffic behind ordinary households.

When devices intended for everyday entertainment are being weaponised at global scale, the security implications for organisations relying on home workers should be clear.

From the Living Room to the Corporate Network

These examples illustrate how easily a domestic device can become compromised. What appears low risk can escalate quickly. Once an attacker gains a foothold on an IoT device inside the home, they can:

• Establish persistence on the local network
• Observe network traffic
• Intercept or harvest credentials from personal or corporate devices
• Map the home network to identify connected work endpoints.

Credential harvesting is particularly dangerous. Stolen credentials remain one of the fastest and most effective ways to compromise corporate remote access systems, especially VPNs. After gaining VPN access, the attacker effectively has a quiet and legitimate route into the corporate network. From there, they can move laterally, gather intelligence, exfiltrate data, or deploy ransomware.

The Scale of the VPN Problem

VPN compromises have increased significantly in recent years. According to Zscaler, 56 percent of organisations surveyed in 2024 had been targeted by cyberattacks exploiting VPN vulnerabilities. What remains unclear in most reporting is how attackers gained initial access to the client device. The assumption is often phishing. Yet the evidence increasingly suggests that compromised domestic IoT devices are an overlooked but credible attack vector.

Several facts support this view:

1. Domestic IoT devices such as Chromecast, Amazon Fire TV Stick, and Android televisions have well-documented vulnerabilities and CVEs.
2. Home users frequently install unofficial or pirated streaming applications, many of which have been found to contain malware.
3. Lateral movement from compromised IoT devices has been demonstrated in multiple research settings, even though many proofs of concept focus on local movement rather than corporate pivoting.

If an attacker controls an IoT device inside the home, there is nothing preventing them from discovering a work device connected to the same network and leveraging it to reach the corporate environment.

What Can Organisations Do to Minimise Risk?

Keep all devices fully patched

Ensure every device on the home network runs the latest firmware and software. This includes IoT appliances, smart TVs, streaming sticks, routers, and access points. Enable automatic updates wherever possible.

Use only legitimate, trusted applications

Install apps only from official stores or approved vendor repositories. Avoid sideloading APKs or using unverified streaming apps, which are a common source of malware.

Avoid legacy, unsupported, or jailbroken devices

Devices that no longer receive updates should be retired. Jailbroken or modified hardware removes key security controls, creating opportunities for attackers.

Implement network segmentation where possible

Although VLANs may not be realistic for most home users, basic segmentation is achievable. Modern routers often allow separation for IoT devices. Even simple guest networks help isolate insecure devices from corporate endpoints.

Apply corporate security and compliance policies to remote endpoints

Remote devices should adhere to the same standards as internal corporate systems: centralised management, encryption, enforced screen locks, health checks, and patch compliance.

Limit and control VPN access

• Restrict how long a VPN session can remain active.
• Enforce automatic timeouts and disconnects after periods of inactivity.
• Limit the ports, protocols, and services accessible over VPN.
• Require MFA, ideally using phishing-resistant methods.
• Use conditional access and device posture checks before allowing a connection.

Conclusion: Your Security Perimeter Now Includes the Living Room

In today’s hybrid working world, an organisation’s security boundary extends far beyond its corporate offices. Every home network used by an employee is now part of your attack surface, yet these environments often contain some of the weakest and least managed devices on the network.

Compromised IoT devices are no longer theoretical. They are being used in global botnets, residential proxy networks, credential-harvesting campaigns, and targeted attacks. As long as attackers can exploit insecure domestic devices, the risk of pivoting into corporate networks will persist.

Businesses that rely on remote working must acknowledge this reality and adapt their security practices accordingly. Proactive controls, strong endpoint management, user education, and tighter VPN governance can significantly reduce exposure.

The organisations that succeed will be those that recognise the new shape of the modern perimeter and take steps now to secure it.

Authored by: Dave Sample, Technical Director at Advantex Network Solutions Ltd

How Advantex Can Help

Home networks are now a real part of your attack surface, but the right controls can dramatically reduce your exposure. Advantex supports organisations with secure-by-design remote access, device posture checks, endpoint visibility, and continuous cybersecurity monitoring. From tightening VPN governance to improving remote-worker compliance, we’ll help you take control of the risks you can’t see.

If you’d like to strengthen your hybrid-working security, get in touch, our team is here to help.