Common vulnerabilities in IoT devices

May 3, 2025

The Internet of Things (IoT) is experiencing explosive growth. From smart thermostats and medical devices to industrial sensors, an increasing number of everyday and specialized devices are being connected to the internet and private networks. While this connectivity offers significant benefits for consumers, businesses, and organizations alike, it also introduces a much larger attack surface. In many cases, IoT devices are developed with a strong focus on functionality and cost-efficiency, often at the expense of security. As a result, vulnerabilities are not just common, they’re often fundamental to how these devices are designed and deployed.

In this article, we’ll take a closer look at five of the most prevalent and critical vulnerabilities found in IoT devices, drawing from hands-on experience in penetration testing and reverse engineering.

1. Hardcoded credentials

One of the most widespread issues in consumer IoT devices is the use of hardcoded credentials, usernames and passwords that are permanently embedded in the device’s firmware. These credentials can apply to a range of services, from Telnet and SSH access to video streaming on IP cameras, or even access to debug interfaces and the cloud services the device relies on.

The core problem with this vulnerability is that once an attacker obtains the firmware, whether by dumping it from the flash memory chip or extracting it from an update file, they can often retrieve these hardcoded credentials with minimal effort. And since the same credentials are typically used across all devices of a specific model, compromising one device can lead to access to every other device that shares the same credentials.

In the VHL IoT Penetration Testing Essentials course, we explore this vulnerability in practice by analyzing an IP camera that includes hardcoded credentials for both the root account and the RTSP video stream. By extracting and analyzing the camera’s firmware, we were able to uncover these credentials and demonstrate how this issue can lead to widespread compromise.

2. Unauthenticated access to interfaces

Many IoT devices offer management and maintenance access through a web interface, a mobile API, or local connections such as Bluetooth or serial interfaces. However, it’s common for consumer-grade devices to lack proper authentication and authorization controls on these entry points.

Typical examples include API endpoints that don’t require authentication tokens, debug interfaces that grant direct root shell access without any login prompt, or Bluetooth services that can be used without even pairing the device. These oversights allow attackers to access sensitive features or data without needing valid credentials. In some cases, this level of access can go even further, enabling attackers to modify firmware, alter device settings, or execute arbitrary code directly on the system running the IoT device.

3. Unencrypted communications

When an IoT device communicates over the network without encryption, any data it transmits can potentially be intercepted and read by attackers who have access to that network traffic. This includes sensitive information such as user passwords sent over HTTP, MQTT messages transmitted without TLS, or firmware updates downloaded without any encryption. In these scenarios, data is exposed in clear text and can be easily captured.

However, attackers don’t always need access to the same network as the IoT device. Devices that use wireless technologies like Bluetooth (including Bluetooth Low Energy) can be targeted simply by being within range. For instance, an attacker could intercept unencrypted Bluetooth signals from a smart lock or a remote control that opens a gate or garage door.

Even when encryption is used, it doesn’t guarantee security if it’s poorly implemented. IoT devices often suffer from weak cryptographic practices, such as failing to properly validate certificates or relying on outdated algorithms. In such cases, attackers may still decrypt the communication, whether by exploiting implementation flaws or conducting brute force attacks against weak keys.

In the VHL IoT Penetration Testing Essentials course we cover various techniques to bypass certificate validation and intercept IoT device firmware during the update process.

4. Vulnerable or outdated firmware

Many IoT devices are not updated automatically, neither by the system or by the end users. In fact, some manufacturers don’t provide updates at all, leaving critical security vulnerabilities unaddressed for extended periods. This often results in known vulnerabilities remaining active on countless devices, sometimes even years after they’ve been publicly disclosed. The problem is further compounded by using outdated system components; it’s not uncommon to find IoT devices running years-old Linux kernels or legacy versions of OpenSSL, effectively making the firmware outdated and vulnerable.

In the VHL IoT Penetration Testing Essentials course, we explore several techniques for extracting a device’s firmware, such as reading directly from the flash memory chip or dumping data byte by byte via a bootloader shell. Once the firmware is obtained, it can be analyzed for vulnerabilities using tools like Binwalk, Ghidra, and GDB, giving you practical skills to uncover and understand real-world security flaws.

5. Insufficient physical security

Although IoT devices are typically compact in size, they often include physical interfaces such as UART, JTAG, or direct access to storage chips like SPI flash and NAND. In many cases, these interfaces remain accessible and unprotected even in production models, making it relatively easy for security researchers to extract firmware with minimal effort.

While higher-end consumer IoT devices are increasingly adopting encryption techniques to secure firmware stored in memory, this protection is not always sufficient. In many instances, attackers can bypass these measures by targeting a running device, where the firmware is loaded and accessible in unencrypted form in the system’s RAM.

Conclusion

The security of certain consumer IoT devices continues to fall behind the rapid pace of market growth. Price-driven competition and fast-moving technological advancements are significantly impacting the security standards in this segment. The vulnerabilities we’ve outlined, ranging from hardcoded credentials to weak physical access controls, are recurring, structural issues commonly found in consumer-grade IoT products. For both penetration testers and embedded system developers, it’s crucial to identify, understand, and proactively address these security flaws.

In the world of IoT, security goes far beyond simply applying software patches. It requires a systematic approach to testing the entire IoT ecosystem, from hardware to software and from communication technologies to cloud services. This includes checking for default passwords, analyzing the communication protocols in use, assessing physical access points, and thoroughly examining firmware update mechanisms. Systematic testing of IoT devices in accordance with standards such as ETSI EN 303 645 and the OWASP IoT Security Verification Standard (ISVS) also contributes to more secure IoT devices.

VHL IoT Penetration Testing Essentials

Are you interested in securing smart devices and want to learn how to identify and analyze vulnerabilities in IoT devices? Do you want to gain experience with techniques such as firmware analysis, debugging, serial communication and network traffic inspection? Then the IoT Penetration Testing Essentials course from Virtual Hacking Labs is just what you’re looking for. This course is designed specifically for both novice and advanced penetration testers who want to learn more about testing Internet of Things (IoT) devices. You will learn step-by-step how to analyze and test IoT devices for existing and zero-day vulnerabilities.

Want to know more about the IoT Pentesting course? Check out the full course content and start learning essential skills for pentesting tomorrow’s IoT devices today.