IOT wifi doesnt have to be connected to the Internet or networked computers at all....
True. However, it is also true that attackers need not directly use the Internet to access WiFi networks. (They may or may not use it indirectly as part of an attack on a "non-Internet-connected" network.)
If I use wifi, it gives me a chance to re-use an old obsolete AP I have that had truly awesome range but only supports 802.11b (too-weak encryption)
See, that's the kind of thing that excites me as an attack opportunity when I put on my black hat.
802.11b is great because it's trivial for me to get the password "protecting" that network by simply listening for a few minutes (or hours, tops) to the packets it's broadcasting to everyone around it. Longer range is great because it makes it easier to place or find a device within range of the network that I can use for my attack.
With a cheap, home-made antenna I can probably connect directly to this network from several hundred meters away. But I wouldn't start there; my first thought would be to take over someone else's WiFi device (such as a vulnerable home router in the area) and then stage the attack from there. I can do that from the other side of the planet.
It's reasonable, however, to assume that I'm not targeting you directly. I'd "0wn" various routers in your area merely becuase my automated system scans the Internet and collects them to be used for various purposes, and I'd have access to your WiFi network because my automated software would automatically crack all easy-to-crack WiFi networks in the area of my devices again because it's easy to do, they could be handy for further attacks, and who knows what fun stuff I might find. You'd just be one of many caught in the automated sweep.
I've been thinking about this on and off over the past few months and one of the main problems in securing small devices along the lines of an ATMega is that they simply don't have the computing power to do enough crypto even for something more minimal than TLS. My current thought is that perhaps Bluetooth is the solution here: if set up properly (i.e., proper PIN confirmation for pairing on both sides) it's pretty secure as far as I know, it's low-power, and the modules are cheap and easy to add to devices with a small microcontroller. I'm not sure about the implications of this on the design of the overall system, though, especially when it involves devices that can be tens of meters apart with walls and the like between them.
(Sorry if I'm hijacking this thread; I'm happy to continue elsewhere if someone wants to point me to a new or existing discussion where it would be better for me to be posting this sort of thing.)