I thought this Wall Street Journal article was pretty good. It discusses using webcameras as a means to attack other larger targets. This is basically the same as what happened when Dyn was hit with a DOS attack in the Fall, but this article talks a little more about the business side of it and what should be done to stop these things.
It’s a difficult situation. In most of these cases the compromise is that these devices use easy to find manufacture default passwords. Using that is ultimately a choice made by the owner, even though they might not realize what they’re doing. Is there a way to hold device owners accountable for using such weak security? Is there a way for hardware manufactures to make more secure devices? Is there enough market force to demand more secure devices or is the market force still on first to delivery?
Personally I think some form of industry group needs to emerge to certify IOT devices as the most secure they can be at that time. This industry group would need to update guidance at least annually and then they would need to invest in a marketing effort to inform consumers of this certification for devices and make the value of certified devices increase in the minds of consumers.