A surreptitious scan of the entire internet has revealed millions of printers, webcams and set-top boxes protected only by default passwords.
An anonymous researcher used more than 420,000 of these insecure devices to test the security and responsiveness of other gadgets, in a nine-month survey.
Using custom-written code, they sent out more than four trillion messages.
The net's current addressing scheme accommodates about 4.2 billion devices. Only 1.3 billion addresses responded.
The number of addresses responding was a surprise as the pool of addresses for that scheme has run dry. As a result, the net is currently going through a transition to a new scheme that has a vastly larger pool of addresses available.
The scan found half a million printers, more than one million webcams and lots of other devices, including set-top boxes and modems, that still used the password installed in the factory, letting almost anyone take over that piece of hardware. Often the password was an easy to guess word such as "root" or "admin".
"Whenever you think, 'That shouldn't be on the internet, but will probably be found a few times,' it's there a few hundred thousand times," wrote the un-named researcher in a paper documenting their work.
HD Moore, who carried out a similar survey in 2012, told the Ars Technica news website the results looked "pretty accurate".
He added he had seen malicious hackers exploiting the security failings of these devices to run criminal networks known as botnets that are used to send out spam, mount phishing attacks and bombard websites with deluges of data.