IoT security issues: Why they persist and what it takes to fix them

According to an IoT Analytics report, the number of connected IoT devices worldwide is expected to reach 30B by 2030 from 18.5B in 2024 [1]. The scale at which they grow presents several challenges for those deploying them, and Internet of Things (IoT) security issues are among the most pressing.

Most organizations introducing IoT or adding new IoT devices to the fleet may not have a complete inventory of what is on their network, visibility into what those devices are doing, or a clear plan for what happens when a device reaches end-of-support but stays in the field.

As Palo Alto Networks' Device Security Threat Report 2025 states, at least 21% of all IoT devices monitored for the study have at least one known vulnerability, exposing the entire organization in which they are deployed [2]. For businesses, it may mean thousands of dollars in fines and incident costs. 

This article examines why key IoT security challenges persist and what an IoT-powered business can do to address them before they cause damage.

Why IoT security stays broken across the industry

IoT security fails systematically because the incentives at every stage of the product lifecycle push against it. 

Manufacturers competing on thin hardware margins deprioritize security features that add cost and engineering time. As a result, the devices ship with weak authentication, no update path, and hardware that cannot support meaningful encryption. 

Enterprise buyers rarely ask the right questions at procurement, which gives manufacturers no commercial reason to invest differently. 

And even in organizations that take security seriously, engineering and security teams typically operate in silos, with security reviews arriving at the end of the development cycle when findings are too late and too expensive to act on. 

The result is an industry where the same IoT security vulnerabilities keep appearing in breach reports year after year. And it's not because the solutions are unknown, but because no single stakeholder feels fully accountable for fixing them. Below is the list of most common security issues associated with IoT infrastructure and deployment.

Key IoT security issues to watch out for

IoT security vulnerabilities rarely have a single source. They emerge from the interaction between physical devices, the infrastructure connecting them, and the organizations responsible for both. Here are the most common IoT security issues.

Unprotected devices 

Most IoT devices are built with limited memory, processing power, and storage. This makes it difficult to implement robust security protocols, but it also creates a convenient excuse to skip them. Devices frequently ship with default credentials, no update mechanism, and no hardware-level protection for stored keys or firmware. Once deployed, these gaps are almost impossible to close without a full product revision. 

According to Forescout's The Riskiest Connected Devices in 2025 report, average device risk scores rose 33% year-over-year in 2025 [3]. Here's what the list of riskiest devices in 2025 looks like.

Weak network and communication security

IoT devices rarely operate in isolation. They transmit data across networks to gateways, to cloud backends, to other devices. Every hop in that chain is a potential point of interception or manipulation. Unencrypted traffic, weak device authentication, and the absence of proper admission controls for new devices all create openings that attackers exploit systematically.

AI-powered attacks

Attackers are now using AI to automate vulnerability scanning, run credential-stuffing campaigns at scale, and build botnets that adapt their attack patterns in real time to evade detection. It has shortened the attack cycle from device discovery to exploitation. For IoT environments, where devices cannot run security agents and anomalies go undetected for long periods, AI-assisted attacks are particularly difficult to catch and contain.

Human and organizational factors

Most IoT security problems do not start with a hacker. They start in a product roadmap meeting where security is listed as a delivery milestone rather than a design constraint.

When security is treated as a feature to be added before launch, it gets scoped, traded off against schedule pressure, and shipped incomplete. The firmware update mechanism gets deprioritized because it does not affect the demo. The authentication design gets simplified because the deadline moved. The penetration test gets scheduled for after release. This pattern is expensive in the long run.

Unpatched firmware

Forescout found that 47% of newly exploited vulnerabilities in H1 2025 were originally disclosed before 2025 [4]. It means that attackers are actively targeting known, unpatched flaws that organizations haven't fixed. For devices with operational lifespans of 10 to 25 years, a missing update may become a breach factor.

Supply chain vulnerabilities

Compromised firmware, backdoored components, or malicious third-party libraries introduced during manufacturing can make a device vulnerable before it ever reaches a customer. For buyers, these vulnerabilities are nearly impossible to detect. This is why supply chain security has to be a procurement question, not just an engineering one.

No visibility into deployed devices

In most enterprise environments, IoT devices accumulate outside formal IT procurement. A facility manager installs smart HVAC controls, a lab connects an instrument, an office deploys networked printers. While few of these appear in the security team's asset inventory or get monitored, all are on the corporate network. 

NIST SP 800-213 and CISA CPG 2.0 treat a complete device inventory, including manufacturer, model, firmware version, network location, support status, as a baseline security requirement. Organizations that cannot make that list do not know their own attack surface.

End-of-life devices staying in service

A device that has reached end-of-support but remains connected is an unmanaged liability. Manufacturers stop issuing patches; the vulnerabilities discovered after that point stay open indefinitely. Yet replacing operational hardware on a fixed budget, across a large estate, rarely happens on schedule. The gap between when support ends and when a device is actually retired is where IoT breaches may originate.

Insecure APIs and cloud backends

The device itself is only part of the attack surface. The APIs and cloud services it connects to introduce their own risks. These are overly broad access permissions, weak authentication between device and backend, and unencrypted data in transit. 

An API that exposes more functionality than a device actually needs gives an attacker more to work with if the cloud layer is ever compromised. Limiting device access to only the operations it genuinely requires is one of the highest-value security decisions made at the design stage.

Explore our comprehensive guide on how to ensure IoT security across system levels

The regulatory shift: security is now a legal requirement

For years, IoT security was a best practice, i.e., recommended but not enforced. That era is ending with a few state-level regulations now governing various aspects of connected devices.

• EU Cyber Resilience Act CRA. Manufacturers selling connected products in the EU must report actively exploited vulnerabilities within 24 hours of discovery. The reporting obligations take effect September 11, 2026, with broader product security obligations to follow in December 2027. For manufacturers who have not yet mapped their vulnerability disclosure process, this is an urgent gap [5].
• UK PSTI Act. It legally bans default passwords on consumer IoT devices, making enforceable recommendations security practitioners have made since the Mirai botnet hijacked 600,000 devices using factory-default credentials and knocked GitHub, Netflix, and Twitter offline in a single 2016 attack [6].
• CISA CPG 2.0. The first framework to unify security goals across IT, IoT, and OT under a single structure. For US critical infrastructure, this is now the reference standard [7].
• GDPR and CCPA. Privacy by design ensured by building data minimization, consent mechanisms, and access controls into the product architecture from the start is both the legally compliant approach and the only practical one. Retrofitting privacy controls into deployed IoT hardware is costly, incomplete, and often technically impossible [8][9].

The compliance pressure is real and growing. But organizations that embed these frameworks into design and production tend to end up with products that are more secure, not just technically compliant. Here are a few ways to minimize the occurrence of IoT security issues.

Top tips to prevent IoT security issues

The organizations that manage IoT security well share a few common practices that aren't primarily technical. Here's how to become one.

• Define security requirements before hardware selection. The choice of microcontroller determines whether the device can support hardware encryption, a secure boot chain, or a True Random Number Generator. Making those decisions late means inheriting the security limitations of whatever hardware was already chosen for cost reasons.
• Plan the full device lifecycle at design time. This includes the update mechanism, the end-of-support timeline, the process for revoking credentials on a compromised device, and the decommissioning plan. A device with no viable update path should not be shipped or included in the bill of materials (BoM).
• Maintain a complete asset inventory. NIST SP 800-213 and CISA CPG 2.0 treat this as a baseline requirement. Every connected device should include the manufacturer name, model, firmware version, network location, and support status.
• Segment IoT devices from core infrastructure. Network segmentation does not prevent compromise, but it dramatically limits what an attacker can do after compromising a device. A breached IP camera should not be a path into financial systems. In practice, this architectural decision is often skipped because it adds complexity at deployment. It consistently proves to be worth it.
• Treat procurement as a security control. Requiring vendors to provide support timelines, software bills of materials, and documented update mechanisms changes what gets built. Buyers who ask these questions create commercial incentives for manufacturers to answer them.
• Run security testing before launch. Penetration testing and vulnerability assessment are part of the development process, not a post-launch assurance exercise. Issues found in testing change designs. Issues found after release become breach reports.

Ensuring the security of IoT deployments is complex. If you don't know where to start, N-iX IoT experts are here to assist you at any stage of your project.

Explore the best IoT consulting firms to ensure project success  

How N-iX helps you solve IoT security challenges

IoT security issues span hardware, firmware, networks, cloud, and applications simultaneously. N-iX covers all of them. With over 15 years of IoT development experience, 100+ delivered security projects, and 20+ dedicated cybersecurity consultants, our team embeds protection into every stage of the IoT product lifecycle. We can help you with:

• IoT device security. We help you choose only secure, authenticated devices to connect to your network, with features like secure boot, firmware updates, identity management, and OTA updates.
• IoT connectivity and network security. We protect your communication pathways, implementing VPNs, firewalls, network segmentation, and secure encryption protocols to safeguard data transmission.
• IoT cloud and data security. From device-to-cloud encryption to multi-cloud security, we ensure data integrity across your IoT infrastructure.
• Application security. We provide secure APIs, role-based access control (RBAC), and application-level data encryption to protect your apps and ensure safe communication with IoT devices.
• Compliance and certification. We support you in meeting regulatory standards, such as ISO 27001, SOC 2, and GDPR, helping you achieve certification and avoid costly non-compliance penalties.

N-iX's engineers build IoT systems that are resilient, scalable, and secure, allowing you to focus on innovation without compromising safety or compliance. Let’s discuss how we can help you minimize IoT security issues from the start.

Sources: 

1. Number of connected IoT devices growing 14% to 21.1 billion globally | IoT Analytics 
2. Device Security Threat Report | Palo Alto Networks 
3. The Riskiest Connected Devices in 2025 | Forescout 
4. 2025H1 Threat Review | Forescout
5. Regulation (eu) 2024/2847 of the European Parliament and of the Council (Cyber Resilience Act) | Official Journal of the European Union
6. The UK Product Security and Telecommunications Infrastructure (Product Security) regime | GOV.UK
7. Cybersecurity Performance Goals 2.0 (CPG 2.0) | CISA
8. Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) | Official Journal of the European Union
9. California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General
10. Cost of a Data Breach Report 2025 | IBM

FAQ

What are the security issues in IoT?

IoT security issues range from unprotected devices and unpatched firmware to insecure data transmission, supply chain vulnerabilities, and a lack of device visibility. They are compounded by organizational failures, such as the deprioritization of security under schedule pressure, weak procurement standards, and siloed engineering and security teams.

What are the reasons IoT devices are considered a security risk?

IoT devices are considered a security risk because they ship with default credentials, lack a reliable update mechanism, and have hardware that cannot support strong encryption. They cannot run security agents. Instead, they go largely unmonitored, and often remain in service long after security support has ended.

What is the biggest security challenge in IoT?

The biggest IoT security challenge is that security is consistently treated as a feature rather than a foundation.

What are the most common IoT security threats in 2026?

The most common IoT security threats in 2026 include exploitation of default credentials, unpatched firmware attacks, man-in-the-middle interception, supply chain compromises, and AI-powered botnets that scan for vulnerable devices at scale.

What are the consequences of poor IoT security for businesses?

The consequences of IoT security issues can be direct financial loss, regulatory fines, reputational damage, or operational disruption. In sectors like healthcare or critical infrastructure, the consequences can extend to physical safety.

What industries are most at risk from IoT security issues?

Retail, financial services, manufacturing, and critical infrastructure are the highest-risk verticals. Healthcare carries the sharpest exposure, with medical devices increasingly targeted and direct patient safety implications.