Over the past year, campaigns including BadBox 2.0, Matrix, and LapDogs have been documented compromising tens of millions of connected devices worldwide. There are billions of devices now online and threats are continuing to emerge. It's clear that IoT security is still lagging behind its rapid pace of adoption.
There are certainly benefits to this widespread adoption. IoT is enabling real-time, data-driven decision making at a remarkable scale. Applications such as wearable devices, environmental monitoring, remote patient care, and predictive maintenance wouldn’t exist without IoT. Analysts project IoT connections exceeding 40 billion within the next decade, a trend that highlights the need to build security into every layer of the ecosystem.
The State of IoT Security
Systematic security measures for IoT are only beginning to be widely implemented, driven in large part by emerging regulations and increased demands for security. Historically, many IoT deployments lacked standardized oversight, and lacked strong safeguards. As a recent example, survey data from Verizon in 2024 shows that despite surging adoption and concerns regarding IoT-related incidents, large parts of organizations (including critical infrastructure) lacked consistent IoT security policies or device tracking. These failures aren’t solely on the users: an FTC survey also from 2024 found that 89% of examined vendors do not disclose support duration or end dates, making it almost impossible for users to plan lifecycle management or risk mitigation.
In May 2025, NIST published a draft of its revision to the IoT device manufacturer guidance (NIST IR 8259). This update is a positive step. It standardizes expectations for baseline security capabilities and post-market support, and introduces ways for businesses to contribute to standards. However, it remains voluntary. Without significant market pressure, many manufacturers, especially low-cost consumer device makers, will continue shipping insecure products or abandon devices shortly after launch.
The result is a growing population of unsupported, unpatched, and insecure devices, effectively "abandonware", which continue to expand the attack surface long after they leave the factory. Considering applications in healthcare, and critical infrastructure, the stakes extend far beyond device failure. Compromised systems can lead to safety risks, network intrusions, data breaches, loss of trust, and regulatory exposure.
Annual IoT-related vulnerability counts, broken down by resolution status (as of 9/25). Data sourced from NVD with keywords such as IoT, rtos, mbed, u-boot, nuttx, zephyr, etc., aggregated by publication date.
Historical data on published IoT vulnerabilities can provide context for the ongoing challenge. Between 2019 and 2022, hundreds of IoT-related CVEs were reported each year, many of them severe. After 2023, the number of newly reported CVEs is lower, but this does not mean that deployed devices are more secure. Even ignoring unknown, unreported, or unpatched threats, many devices remain at risk because published fixes, mitigations, or workarounds may not be applied, firmware may not be updated, and users often lack visibility into all supply-chain components that could impact their systems. This gap between known vulnerabilities and actual device security is at the heart of the problem: devices continue operating in the field without proper maintenance, leaving networks exposed despite improvements in new technology.
Closing the Gap
For those deploying IoT devices, there are straightforward ways to reduce risk without needing a comprehensive, enterprise-scale security program. Even so, it's important to be aware of which attack vectors are relevant to your use case because each of these methods has tradeoffs in terms of usability, complexity, cost, performance, and time-to-market.
When possible, prioritize devices that have committed vendor support, lifecycle guarantees, and clear update mechanisms (i.e., cryptographically signed updates). This alone can meaningfully lower the chance of being stuck with unpatched, unsupported hardware, but it's not always feasible when shady vendors and low-cost or legacy systems are involved. Regardless of whether support durations are provided, it's important to have a planned retirement window for devices, instead of operating them indefinitely. Transparency of vendor supply chain dependencies also poses an important challenge for users.
This is why all devices should be deployed in ways that minimize exposure, such that any vulnerabilities or incidents have limited impact on critical systems or sensitive data. For this, users can adopt a zero-trust security model. Devices should be isolated on separate networks, with encrypted communications, so that a compromise of one system cannot easily spread. Limit which external endpoints the devices can talk to, and where possible, proxy outbound connections through monitoring servers. Access to devices should be limited to what is necessary and protected with strong authentication, ensuring that only authorized users can interact with them and reducing the risk of unauthorized exploits. If supported by the end-device, monitoring deployments with IDS, logging and alerts can help detect anomalies before they escalate.
Additionally, maintaining an up-to-date inventory of devices, including firmware versions and hardware variants, allows deployments to be cross-checked against vulnerability databases such as the NIST National Vulnerability Database and CVE Details, which can assist in identifying and assessing known security issues. It is also critical to assume that devices in easily accessible or public areas will be tampered with, and to protect serial interfaces, removable storage, and other physical access points accordingly.
For readers interested in exploring these practices in more detail, several resources provide guidance on securing IoT deployments such as the IoT Security Foundation which offers lifecycle-focused best practices, and Palo Alto Networks which provides detailed guides on secure architectures, device monitoring, and network protection. These references can serve as practical starting points for implementing robust security measures in existing deployments.
As industry practices continue to evolve, newer devices and networks will gradually become more secure. However, the greatest risks remain with devices that are overlooked or left unsupported, which end up becoming entry points into larger, mostly secure environments. Ensuring security is a shared responsibility, with manufacturers and users playing a role in maintaining updates, monitoring deployments, and selecting devices with ongoing support. Attention to these practices can help prevent the accumulation of insecure systems.
Comments
Post a Comment