Skip main navigation

IoT device design and development

Outlines major vulnerabilities of IoT devices
Man working on computer

“Smart yet flawed” is the term used by the security software developers when explaining the seriousness of the inherent vulnerabilities of IoT devices.

The following table identifies the most common IoT vulnerabilities. Most of these vulnerabilities, namely unnecessary open ports, insufficient logging mechanisms, inadequate privacy protection and encryption, lack of automatic patch management, and hardcoded passwords are caused by poor software design.

Insecure networks icon Insecure networks: Insecure networks can make it easy for attackers to exploit weaknesses in the protocols and services that run on IoT devices. Once the network is exploited, attackers can breach confidential data that travels between user devices and the server.
Insecure/outdated components icon Insecure/outdated components: IoT devices can be exploited as a result of using insecure or outdated components, such as open source code, legacy systems, and outdated third party software that contains vulnerabilities.
Hardcoded passwords icon Hardcoded passwords: Hardcoded passwords – that is, passwords that cannot be changed – are a common vulnerability that attackers often use to compromise IoT devices. Similarly, weak/simple and reused passwords make it easy for attackers to compromise IoT devices.
Hardcoded settings icon Hardcoded settings: IoT devices typically have default and hardcoded settings to facilitate simple setup by the user. However, these default settings are very insecure and it can be easy for attackers to breach and exploit device vulnerabilities.
Poor privacy protection icon Poor privacy protection: IoT devices often collect a range of personal data that needs to be securely stored and processed to comply with data privacy regulations. Failure to protect this sensitive and personal data – through encryption and the like – can result in data leaks that jeopardise both user privacy and the business’s reputation.
Insecure update processes icon Insecure update processes: Insecure update processes heighten the risk of malicious or unauthorised code, software or firmware being installed on the IoT device. Updates need to be secure and on encrypted channels. All software and firmware must be validated and approved.
Open ports icon Open ports: Unused open ports in IoT devices can allow attackers to exploit vulnerable services.
Insecure data transfer icon Insecure data transfer: IoT devices receive or transmit data – this data transfer (and storage) must be undertaken across secure networks to ensure that only authorised users have access. This ensures the confidentiality, integrity and availability of IoT applications.

Furthermore, OWASP IoT Top10 also identifies similar software vulnerabilities in their top 10 list.

This reinforces that software running on the devices, gateways, mobile and data centre applications, and the application program interfaces (APIs) from which the services are consumed, should be subjected to assurance to ensure they are free from security defects. Considering this, it is imperative to have security embedded in the design of IoT devices, including its controlling software.

Want to know more?


Read this article which explains the “smart but flawed” concept. The article highlights why it is necessary to be cautious and understand that “smart” can also mean vulnerability to threats:

© RMIT 2023
This article is from the free online

Security by Design

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now