IoT endpoints are prime targets for attacks, with the soaring number of connected devices and often porous security controls creating plenty of opportunities for hackers.
In its “The State of IoT Security, 2024” report, Forrester Research concluded that corporate IoT devices were the most reported target for external attacks, meaning they were attacked more than any other enterprise asset, including corporate and employee-owned computers and mobile devices.
According to cybersecurity software maker SonicWall’s “2025 Cyber Threat Report,” IoT attacks were up 124% in 2024. The worrisome statistics aren’t surprising, given the challenges of securing an IoT ecosystem.
First, the IoT industry doesn’t have a clear set of security standards to ensure developers and manufacturers incorporate consistent security across their products. Also, IT admins often find it challenging to keep track of and update devices that remain in the field for many years.
In addition, many IoT devices lack built-in security features due to their embedded firmware or software limitations. They often come with default passwords that don’t have to be reset when deployed.
Meanwhile, hackers scan networks for devices and known vulnerabilities and increasingly use nonstandard ports to get network access. Once they have device access, it’s easier to avoid detection through fileless malware or software memory.
Let’s examine what makes IoT devices vulnerable and how to mitigate attacks.
What is the IoT attack surface?
At its basic level, an attack surface refers to the total number of potential entry points for unauthorized system access. An IoT attack surface includes all possible security vulnerabilities for IoT devices, their software and network connections.
The growing concern around IoT device security includes the fact that threat actors can damage the network and software that support IoT devices and the devices themselves. Furthermore, IoT device adoption is advancing faster than the processes and protocols that provide secure, reliable connections.
Organizations can take steps to secure the IoT attack surface, but this requires the staff and technical expertise to establish policies that can proactively detect threats and reactively apply measures to reduce the size of the attack surface.
Top IoT security risks to address
Here are the eight common IoT vulnerabilities and seven external threats that pose the most significant risks.
1. An expanding attack surface
One of the biggest threats to an organization’s ability to secure its IoT environment is its sheer scale. Estimates on the actual number of connected devices in the world vary from one researcher to the next, but they are consistently in the billions and growing. For example, in its “State of IoT Summer 2024” report, IoT Analytics said that connected IoT devices numbered 16.6 billion at the end of 2023 — up 15% over 2022. By the end of 2024, that number was 18.8 billion.
Moreover, enterprise IoT spending is projected to grow at a 14% compound annual growth rate through 2030, according to IoT Analytics’ “State of IoT Spring 2025” report, with that spending dramatically expanding the attack surface.
Of course, an individual organization has far fewer devices to secure, but the number of connected endpoints adds up fast. Additionally, IoT devices are generally on 24/7, with many continuously connected.
2. Insecure hardware
A single endpoint device can present a risk to the security of the entire IoT ecosystem — and, ultimately, the organization’s IT environment. Devices often lack built-in security controls due to their limitations — namely, their small computational capacity and low-power design.
As a result, many devices can’t support security features such as authentication, encryption and access control. Even when endpoint devices have security controls such as passwords, some organizations deploy them without using or enabling them. That leaves devices and the organization vulnerable to various attack types, including brute-force attacks.
3. Maintenance and update challenges
Challenges with adequately maintaining endpoint devices and updating software create further security vulnerabilities. There are a few contributing factors here. First, updates like a security patch to address a vulnerability that hackers could exploit might not be forthcoming from device vendors, particularly if the endpoint device is older. Second, connectivity limitations, along with a device’s limited computation capacity and power supply, could make updating devices deployed in the field impossible.
4. Lack of visibility into the IoT environment
Even when updates are possible, organizations might not know whether they have devices to update. According to a 2024 survey by Starfleet Research, nearly half (46%) of security leaders reported difficulty in gaining IoT device visibility.
5. Shadow IoT
A related risk is shadow IoT — that is, IoT endpoints deployed without IT’s or the security department’s official support or permission. These unsanctioned IoT devices could be personal items with an IP address, such as fitness trackers or digital assistants, but they could also be corporate and enterprise technologies, such as wireless printers. Either way, they create risks for the enterprise because they might not meet an organization’s security standards, and even if they do, they might not be configured and deployed in ways that follow security best practices.
Additionally, IT administrators and security teams generally lack knowledge of these deployments. They might not monitor them or their traffic, giving hackers a higher chance of successfully breaching them without being detected.
6. Poor asset management
Organizations face challenges not only in identifying all the IoT devices in their environment but also in effectively managing the devices they do have. Some fail to patch vulnerabilities and update software when patches and updates are available. Others neglect to fix known misconfigurations in a timely manner, if at all, or implement adequate access controls. Organizations often fail to take such actions because the work it requires exceeds their capacity to do it.
7. Inadequate or nonexistent monitoring and incident response capabilities
Monitoring for unusual activities and traffic that could indicate attempted attacks has become a standard security practice to safeguard IT environments. The same goes for incident response capabilities. However, organizations don’t always have those capabilities or the same level of maturity in their capabilities within the IoT environment for various reasons, such as resource constraints and the complexity of IoT environments.
8. Unencrypted data transmissions
IoT devices collect vast amounts of data as they measure and record everything from temperature readings to the speed of objects. They send much of this data to centralized locations — usually in the cloud — for processing, analysis and storage. They also frequently receive information back that tells the devices what actions to take. Studies have shown that a significant portion of this transmitted data is unencrypted.
9. IoT botnets
In addition to vulnerabilities, threats are coming from outside the IoT environment. One such threat is the botnet. Enterprise IT and security leaders have consistently listed this as a top threat following the major botnet attacks, such as Mirai, that arose nearly a decade ago.
In these attacks, an attacker infects an IoT device with malware through an unprotected port or phishing scam and co-opts it into an IoT botnet to initiate massive cyberattacks. Hackers can easily find malicious code on the internet that detects susceptible machines or hides code from detection before another code module signals devices to launch an attack or steal information.
IoT botnets are frequently used for DDoS attacks to overwhelm a target’s network traffic. Botnet orchestrators find IoT devices an attractive target because of weak security configurations and the number of devices that can be consigned to a botnet to target organizations.
10. DNS threats
Many organizations use IoT to collect data from older machines that lack the most recent security standards. When organizations combine legacy devices with IoT, it can expose the network to older device vulnerabilities. IoT device connections often rely on DNS, a decentralized naming system from the 1980s, which might not handle the scale of IoT deployments that can grow to thousands of devices. Hackers can use DNS vulnerabilities in DDoS attacks and DNS tunneling to get data or introduce malware.
11. Malicious node injection
Hackers can also attack an IoT ecosystem by inserting or injecting fake nodes into the web of legitimate connecting nodes, thereby enabling hackers to alter and/or control the data flowing between the fake and legitimate nodes — and, ultimately, all the nodes in the web.
12. IoT ransomware
As the number of insecure devices connected to corporate networks increases, so do IoT ransomware attacks. Hackers infect devices with malware to turn them into botnets that probe access points or search for valid credentials in device firmware that they can use to enter the network.
With network access through an IoT device, attackers can exfiltrate data to the cloud and threaten to keep, delete or make the data public unless paid a ransom. Sometimes, payment isn’t enough for an organization to get all its data back, and the ransomware automatically deletes the files, regardless.
13. Tampering with physical devices
Hackers tampering with physical devices presents another risk. This could mean that attackers physically access an IoT device to steal data, tamper with the device to install malware, access its ports and inner circuits to break into the organization’s network, or destroy it altogether.
14. Firmware exploits/supply chain vulnerabilities
As headline-making attacks in recent years have shown, hackers use vulnerabilities in the technology components and software that organizations buy to run their operations. Those same supply chain vulnerabilities exist in the IoT market, which leaves organizations reliant on their IoT vendors to identify the vulnerabilities and offer fixes. And when these vendors are not forthcoming — or not responsive quickly enough — organizations can fall victim to hackers whose MO is targeting known vulnerabilities in IoT equipment.
15. Vulnerabilities in the ecosystem
As IoT devices proliferated, so did their connections to the organization’s infrastructure and the broader connected universe. That connectedness, which is the very nature of IoT, can amplify the potential risks associated with vulnerabilities anywhere in the ecosystem. For example, insecure interfaces such as APIs create an entry point for hackers who could use that foothold to access increasingly sensitive points within the ecosystem.
How to defend against IoT security risks
IT teams must take a multilayered approach to IoT security risk mitigation and adopt a zero-trust approach to security, whereby access is given to entities — whether human users or IoT devices — only after they verify their identities and enterprise-authorized rights to connect with the systems or data they are seeking to access.
In addition to those overarching security strategies, organizations should have specific defenses to protect against the different types of IoT attacks. They should establish robust governance policies and practices to mitigate excessive risk.
IoT security combines policy enforcement and software to detect and address any threats. Enterprise IT teams, in conjunction with security teams and the business departments that own IoT use cases, should do the following:
- Enact and enforce strong password policies for devices on the network.
- Use threat detection software to anticipate potential attacks and network monitoring tools to detect activities that could indicate a threat, attack attempt or actual attack.
- Have a comprehensive asset detection and management program to ensure better visibility into the endpoints deployed in their enterprise and what data is on their IoT devices.
- Conduct device vulnerability assessments.
- Disable unneeded services.
- Perform regular data backups.
- Implement and practice disaster recovery procedures.
- Implement network segmentation.
- Install software that counters the various attack types, such as using DNS Security Extensions, a cryptographic security protocol that helps secure the DNS.
Additionally, organizations should follow basic cybersecurity measures, such as authentication, regular updates and patches, and confirm that IoT devices meet security standards and protocols before they’re added to the network.
Data protection strategies are another way to boost IoT security. IT teams can help ensure data security by using visibility tools, data classification systems, data encryption measures, data privacy measurements and log management systems.
For physical security measures, organizations should place devices in a tamper-resistant case and remove any device information manufacturers might include on the parts, such as model numbers or passwords. IoT designers should bury conductors in the multilayer circuit board to prevent hackers from easily accessing them. If a hacker does tamper with a device, it should have a disable function, such as short-circuiting when opened.
Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.
