Although the Internet of Things (IoT) incorporates millions of heterogeneous devices to provide advanced intelligent services and has greatly impacted our lives over time, it has a huge blind spot since its design favors connectivity over security. Myriad efforts have been made to secure it, but it is still one of the most lucrative and often an easy target for attackers. IoT devices remain at higher risk of attack due to their intrinsic properties which include but are not limited to extreme heterogeneity, mostly plug-and-play nature, computational limitations, improper patch management, unnecessary open ports, default or no security credentials, and extensive use of reusable open-source software. To address these security concerns we need to thoroughly understand IoT devices’ vulnerabilities, associated attacks, and how criminal services can abuse these devices. In this article, we present recent advances in IoT security vulnerabilities, criminal services by empirically identifying major vulnerable IoT devices and cyber attacks exploiting them by cyber criminals. Additionally, we present mapping of vulnerabilities, criminal services, attacks, and potential solutions against such vulnerabilities and attacks. We have also presented different approaches in a tabular form for side-by-side comparison.