Let's say your lightbulbs have been hacked.

Is there really that much to worry about?

So far, much of the security conversation around the Internet of Things (IoT) has taken place with tongue firmly planted in cheek. Last year, after hackers commandeered a smart refrigerator and used it as part of a spam-generating botnet, headline writers rejoiced, but few cried that the sky was falling.

But IoT seems certain to bring a huge number of network-connected sensors and devices, opening the door to an unprecedented range of unexpected — and potentially serious — new criminal threats, say a rising chorus of experts. Poor IoT security engineering, shifting network standards requirements, and the sheer number of new network endpoints could combine to create a massive new attack surface for cybercrooks.

"Right now the cybercriminals aren't hugely interested in attacking these devices compared to PCs, because they haven't found ways to make money off of them," James Lyne, global head of security research for Sophos, said in remarks at Mobile World Congress on Wednesday.

"But looking ahead, when these devices are everywhere, that's going to change."

Lyne, a self-professed "complete and utter geek," spends much of his time threat testing emerging network technology in an attempt to root out vulnerabilities before the hackers do. In a presentation at MWC, he described an off-the-cuff attack he'd recently mounted on Belkin smart electrical outlet.

Astonishingly, the connected outlet accepted commands from any inbound network connection — a flaw Lyne says is common in such devices from many manufacturers. The Belkin outlet uses the UPnP protocol, which does not require authentication, to establish network connections. "This was a deliberate choice on our part," says Belkin spokeswoman Leah Polk, adding that accessibility is key to the smart outlet's user experience. 

Feeling mischievous, Lyne whipped up a script that made a lamp plugged into the outlet flicker for 20 seconds, as if a ghostly presence were in the room.

"But it turns out I made a little typo," Lyne said. "Instead of 20 seconds, I input 200 seconds. It turns out if you make a lightbulb flicker for 200 seconds, some cheap lightbulbs will explode." (Polk says no such attack has been disclosed to Belkin's security team.)

The threats get more serious. In another probe, Lyne uncovered the relative ease of intercepting livestreaming CCTV camera feeds — including one feed that showed a security guard tasked with watching the cameras at a secure facility falling asleep on the job. Other camera feeds from convenience stores showed credit card information and pin numbers from customer transactions — a simple if manual way to vacuum up valuable payment account data.

"It's awesome and terrifying at the same time," Lyne said of the bizarre and varied scope threat unleashed by the IoT. "These devices are starting to be built into our cars and all sorts of things. Cybercriminals are going to try to exploit that."