Common Vulnerabilities in IoT devices

May 3, 2025

The Internet of Things (IoT) has experienced explosive growth over the past decade and has become an integral part of modern day households. From smart thermostats and smart wearables to medical devices and industrial sensors, an increasing number of everyday and specialized devices are being connected to the internet and private networks to simplify life. While these smart devices offer significant benefits for consumers, businesses, and organizations alike, it also introduces a much larger attack surface in any network. In many cases, IoT devices are developed with a strong focus on functionality and cost-efficiency, often at the expense of security. As a result, vulnerabilities are not just common, they’re often fundamental to how these devices are designed and deployed. This is what I see almost daily when performing security research on IoT devices; hardcoded credentials, static encryption keys, unencrypted communications, outdated software components and insufficient hardware security.

In this article, we’ll take a closer look at five of the most prevalent critical vulnerabilities found in IoT devices, drawing from hands-on experience in penetration testing and reverse engineering IoT devices and firmware. For each vulnerability we will break down what the vulnerability is and why it’s a problem.

1. Hardcoded credentials

What: One of the most common problems in consumer IoT devices is the use of hardcoded credentials, which are usernames and passwords that are permanently built into the device’s firmware and apply to all devices of the same type. These fixed credentials can apply to various services, including Telnet and SSH access, video streaming on IP cameras, and even access to debug interfaces and cloud services that the device depends on.

Why: The core problem with this vulnerability is that once an attacker obtains the firmware, whether by dumping it from the flash memory chip or extracting it from an update file, they can often retrieve the hardcoded credentials with minimal effort. And since the same credentials are typically used across all devices of a specific model, compromising one device can lead to access to every other device that shares the same credentials.

More information: CWE-798: Use of Hard-coded Credentials

In the VHL IoT Penetration Testing Essentials course, we explore this vulnerability in practice by analyzing an IP camera that includes hardcoded credentials for both the root account and the RTSP video stream. By extracting and analyzing the camera’s firmware, we were able to uncover these credentials and demonstrate how this issue can lead to widespread compromise.

2. Unauthenticated access to interfaces

What: Many IoT devices offer management and maintenance access through a web interface, a mobile app or API, local connections such as Bluetooth or serial interfaces. However, it’s common for consumer-grade devices to lack proper authentication and authorization controls on these entry points allowing an unauthenticated attacker access to the administration interface of the device.

Why: Typical examples include API endpoints that don’t require authentication tokens, debug interfaces that grant direct root shell access without any login prompt, or Bluetooth services that can be used without pairing with the device. These oversights allow attackers to access sensitive features or data without needing valid credentials. In some cases, this level of access can go even further, enabling attackers to modify firmware, alter device settings, execute arbitrary code directly on the system running the IoT device or even add the device to a botnet.

More information: CWE-284: Improper Access Control

3. Unencrypted communications

What: When an IoT device communicates over the network without encryption, any data it transmits can potentially be intercepted and read by attackers who have access to that network traffic. This includes sensitive information, such as user passwords sent over HTTP, MQTT messages transmitted without TLS, or firmware updates downloaded without any encryption.

However, attackers don’t always need access to the same network as the IoT device. Devices that use wireless technologies like Bluetooth (including Bluetooth Low Energy) can be targeted simply by being within range. For instance, an attacker could intercept unencrypted Bluetooth signals from a smart lock or a remote control that opens a gate or garage door.

Why: When cleartext data is sent over an unencrypted network connection, it can be easily intercepted by attackers with access to the network. Additionally, attackers can carry out man-in-the-middle attacks, impersonating other websites to trick users or capture sensitive information.

Even when encryption is used, it doesn’t guarantee security if it’s poorly implemented. IoT devices often suffer from weak cryptographic practices, such as failing to properly validate certificates or relying on outdated algorithms. In such cases, attackers may still decrypt the communication, whether by exploiting implementation flaws or conducting brute force attacks against weak keys.

More information: CWE-306: Missing Authentication for Critical Function, CWE-319: Cleartext Transmission of Sensitive Information and CWE-311: Missing Encryption of Sensitive Data

In the VHL IoT Penetration Testing Essentials course we cover various techniques to bypass certificate validation and intercept IoT device firmware during the update process.

4. Vulnerable or outdated firmware

What: Many IoT devices are not updated automatically, neither by the system or by the end users. In fact, some manufacturers don’t provide updates at all, leaving critical security vulnerabilities unaddressed for extended periods of time. This often results in known vulnerabilities remaining active on countless devices, sometimes even years after they’ve been publicly disclosed. The problem is further compounded by using outdated system components; it’s not uncommon to find IoT devices running years-old Linux kernels or legacy versions of OpenSSL, effectively making the firmware outdated and vulnerable.

Why: Security updates are crucial for addressing critical vulnerabilities and keeping IoT devices safe. Without a secure update mechanism, devices remain exposed to known threats for extended periods, leaving them at risk of exploitation.

In the VHL IoT Penetration Testing Essentials course, we explore several techniques for extracting an IoT device’s firmware, such as reading directly from the flash memory chip or dumping data byte by byte via a bootloader shell. Once the firmware is obtained, it can be analyzed for vulnerabilities using tools like Binwalk, Ghidra, and GDB, giving you practical skills to uncover and understand real-world security flaws.

More information: CWE-1277: Firmware Not Updateable

5. Unprotected hardware interfaces

What: Although IoT devices are typically compact in size, they often include physical interfaces such as UART, JTAG, or direct access to storage chips like SPI flash and NAND. In many cases, these interfaces remain accessible and unprotected even in production models, making it relatively easy for security researchers to extract firmware with minimal effort or get shell access to the device.

While higher-end consumer IoT devices are increasingly adopting encryption techniques to secure firmware stored in memory, this protection is not always sufficient. In many instances, attackers can bypass these measures by targeting a running device, where the firmware is loaded and accessible in unencrypted form in the system’s RAM.

Why: Insufficient physical security in IoT devices allows attackers with physical access to tamper with the hardware, extract sensitive data, or bypass software protections. This can lead to the compromise of stored credentials, encryption keys, or the device’s firmware.

More information: CWE-1263: Improper Physical Access Control

Conclusion

The security of certain consumer IoT devices continues to fall behind the rapid pace of market growth. Price-driven competition and fast-moving technological advancements are significantly impacting the security standards in this segment. The vulnerabilities we’ve outlined in this article, ranging from hardcoded credentials to weak physical access controls, are recurring, structural issues commonly found in consumer-grade IoT products. For both penetration testers and embedded system developers, it’s crucial to identify, understand, and proactively address these security flaws. IoT devices would be a lot more secure if only these type of vulnerabilities were avoided in the product development process.

It’s important to mention that these are not the only vulnerabilities commonly found in IoT devices. Critical vulnerabilities caused by unsanitized user input are also widespread, such as Remote Code Execution, Local File Inclusion, and file upload vulnerabilities. Finally, buffer overflow vulnerabilities are also a common phenomenon in embedded and IoT devices. This type of vulnerability typically has serious security consequences, ranging from full device takeover to Denial of Service conditions.

Remote Code Execution: CWE-20: Improper Input Validation

Buffer Overflow: CWE-120: Buffer Copy without Checking Size of Input

IoT Security Hardening

On a more positive note, more and more manufacturers are now using strong encryption methods, encrypting firmware, and disabling hardware debug interfaces, which makes it harder to get a foothold on the IoT device through physical access. However, these security mechanisms can often be bypassed, sometimes with a bit more (reverse engineering) effort but once you get past them, you often end up facing the same list of common vulnerabilities all over again; weak passwords, static encryption keys, outdated components and unencrypted communications.

IoT Security Assessments

In the world of IoT, security goes far beyond simply applying software patches. It requires a systematic approach to testing the entire IoT ecosystem, from hardware to software and from communication technologies to cloud services. This includes checking for default passwords, analyzing the communication protocols in use, assessing physical access points, and thoroughly examining firmware update mechanisms. Systematic testing of IoT devices in accordance with standards such as ETSI EN 303 645 and the OWASP IoT Security Verification Standard (ISVS) also contributes to more secure IoT devices.

VHL IoT Penetration Testing Essentials

Are you interested in securing smart devices and want to learn how to identify and analyze vulnerabilities in IoT devices? Do you want to gain experience with techniques such as firmware analysis, debugging, serial communication and network traffic inspection? Then the IoT Penetration Testing Essentials course from Virtual Hacking Labs is just what you’re looking for. This course is designed specifically for both novice and advanced penetration testers who want to learn more about testing Internet of Things (IoT) devices. You will learn step-by-step how to analyze and test IoT devices for existing and zero-day vulnerabilities.

Want to know more about the IoT Pentesting course? Check out the full course content and start learning essential skills for pentesting tomorrow’s IoT devices today.