Learn Cyber: IoT Security Explained — A Beginner's Guide to Securing the Internet of Things

IoT Security Explained — A Beginner's Guide to Securing the Internet of Things

DodaTech Updated Jun 7, 2026 13 min read

IoT security is the practice of protecting Internet of Things devices — smart cameras, sensors, industrial controllers, medical devices — from threats arising from limited computing resources, lack of update mechanisms, and insecure default configurations that make them attractive attack targets.

What You’ll Learn

By the end of this tutorial, you’ll understand the OWASP IoT Top 10, perform basic firmware analysis, implement secure boot and update mechanisms, segment IoT networks, and apply security controls to common IoT devices.

Why IoT Security Matters

There are over 30 billion IoT devices in 2026 — more than 3 per person. The Mirai botnet (2016) used insecure IoT cameras to launch a 1.2 Tbps DDoS attack. In 2025, a compromised smart building system led to a physical security breach. IoT security isn’t just about data — it’s about safety. At DodaTech, Durga Antivirus Pro extends protection to IoT devices through network-level threat detection.

IoT Security Learning Path

    flowchart LR
  A[Network Security] --> B[Security Operations]
  B --> C[IoT Security]
  C --> D{You Are Here}
  C --> E[Firmware Analysis]
  C --> F[Network Segmentation]
  style D fill:#f90,color:#fff

Prerequisites: Cyber Security basics and Linux command line familiarity. Cloud Computing concepts help for understanding IoT cloud integrations.

What Is IoT Security? (The “Why” First)

Think of IoT security like installing smart locks on every door in a building — but the locks themselves have no physical security. A smart lock that can be hacked remotely is worse than a regular lock because it creates a false sense of security while giving attackers a remote entry point.

IoT devices are uniquely vulnerable because:

Limited resources — can’t run antivirus or complex encryption
No update mechanism — many devices never receive patches
Default credentials — “admin/admin” is still common
Always on — 24/7 attack surface
Physical access — often deployed in accessible locations
Diverse protocols — Zigbee, Z-Wave, MQTT, CoAP with varying security

OWASP IoT Top 10

IOT1: Weak, Guessable, or Hardcoded Passwords

The #1 IoT vulnerability. Default credentials are rarely changed:

# iot_password_checker.py — Check for common IoT credentials

class IoTPasswordChecker:
    """Check if IoT device uses common default credentials."""

    COMMON_DEFAULTS = [
        ("admin", "admin"),
        ("admin", "password"),
        ("admin", "1234"),
        ("root", "root"),
        ("root", "admin"),
        ("user", "user"),
        ("admin", "(none)"),
        ("admin", "default"),
        ("admin", "12345"),
        ("admin", "password123"),
    ]

    @classmethod
    def check_credentials(cls, username: str, password: str) -> dict:
        """Check if credentials match common defaults."""
        match = (username, password) in cls.COMMON_DEFAULTS
        return {
            "username": username,
            "password_placeholder": "*" * len(password),
            "is_default": match,
            "risk": "CRITICAL" if match else "LOW",
            "message": "CHANGE IMMEDIATELY" if match else "No match with known defaults"
        }

    @classmethod
    def password_strength(cls, password: str) -> dict:
        """Evaluate password strength."""
        checks = {
            "length": len(password) >= 12,
            "uppercase": any(c.isupper() for c in password),
            "lowercase": any(c.islower() for c in password),
            "digit": any(c.isdigit() for c in password),
            "special": any(c in "!@#$%^&*()_+-=[]{}|;':\",./<>?" for c in password),
        }
        score = sum(checks.values())
        return {
            "score": score,
            "max_score": 5,
            "strength": ["Critical", "Weak", "Fair", "Good", "Strong"][score],
            "checks": checks
        }

# Example
result = IoTPasswordChecker.check_credentials("admin", "password")
print(f"Default credentials: {result['is_default']} — {result['message']}")

strength = IoTPasswordChecker.password_strength("D0daT3ch!2026")
print(f"Password strength: {strength['strength']} ({strength['score']}/{strength['max_score']})")

Mitigation:

Force password change on first login
Require minimum password complexity
Generate unique default passwords (printed on device label)
No hardcoded backdoor accounts

IOT2: Insecure Network Services

Unnecessary or vulnerable network services running on the device:

# Check for open ports on an IoT device
nmap -sV -p 1-65535 <iot-device-ip>

# Common insecure services to watch for:
# - Telnet (port 23) — unencrypted, use SSH instead
# - FTP (port 21) — unencrypted, use SFTP/SCP
# - HTTP (port 80) — unencrypted, use HTTPS
# - SNMP (port 161) — check for public/private community strings
# - UPnP (port 1900) — often vulnerable, disable if not needed

Mitigation:

Minimize exposed services (only what’s needed)
Disable Telnet, FTP, HTTP — use SSH, SFTP, HTTPS
Implement service authentication
Regular vulnerability scanning of exposed ports

IOT3: Insecure Ecosystem Interfaces

Insecure web, cloud, or mobile interfaces for IoT management:

# iot_interface_check.py — Check IoT management interfaces

class IoTEcosystemCheck:
    """Security checks for IoT ecosystem interfaces."""

    @staticmethod
    def check_web_interface(url: str) -> list[str]:
        """Common web interface security checks."""
        issues = []
        # In production, make actual HTTP requests
        # For this demo, we simulate findings
        checks = {
            "HTTPS enforced": False,
            "HSTS header": False,
            "Content-Security-Policy": False,
            "X-Frame-Options: DENY": False,
            "Session timeout": False,
            "Account lockout after failed attempts": False,
            "No default credentials": False,
            "CSRF protection": False,
            "XSS protection headers": False,
        }
        for check, passed in checks.items():
            if not passed:
                issues.append(f"Missing: {check}")
        return issues

    @staticmethod
    def check_mobile_app_practices() -> list[str]:
        """Common mobile app security issues for IoT controllers."""
        return [
            "API keys hardcoded in app",
            "No certificate pinning",
            "Sensitive data stored insecurely",
            "Biometric without server-side verification",
            "No rate limiting on API calls",
        ]

    @staticmethod
    def check_cloud_api(endpoint: str) -> list[str]:
        """Common cloud API security issues."""
        return [
            "No authentication on some endpoints",
            "No rate limiting",
            "Verbose error messages exposing internals",
            "API keys transmitted in URL parameters",
        ]

Mitigation:

Enforce HTTPS with valid certificates
Implement proper session management
Apply OWASP Web/API security practices
Rate limit all API endpoints
Log and monitor all access

IOT4: Lack of Secure Update Mechanism

Devices that can’t be updated become permanent vulnerabilities:

# iot_update_security.py — Secure update mechanisms

class SecureUpdateMechanism:
    """Secure firmware update patterns for IoT."""

    @staticmethod
    def secure_update_process() -> dict:
        """Required steps for a secure update process."""
        return {
            "signing": {
                "requirement": "Firmware must be digitally signed",
                "algorithm": "ECDSA P-384 or RSA 3072+",
                "key_management": "Hardware-backed storage for signing keys"
            },
            "verification": {
                "requirement": "Device verifies signature before applying",
                "process": [
                    "1. Download firmware + signature + manifest",
                    "2. Verify signature against embedded public key",
                    "3. Verify firmware integrity (SHA-384 hash)",
                    "4. Verify version number (prevent rollback)",
                    "5. Apply update to inactive partition (A/B update)",
                    "6. Verify checksum after write",
                    "7. Switch to new partition and reboot",
                    "8. If boot fails, roll back to previous partition"
                ]
            },
            "anti_rollback": {
                "requirement": "Prevent reverting to vulnerable firmware",
                "mechanism": "Version in OTP (one-time programmable) memory or TPM"
            }
        }

    @staticmethod
    def check_update_readiness(device_config: dict) -> list[str]:
        """Check if a device supports secure updates."""
        issues = []
        if not device_config.get("signed_updates"):
            issues.append("CRITICAL: Firmware updates are not digitally signed")
        if not device_config.get("secure_boot"):
            issues.append("HIGH: Device doesn't verify boot chain integrity")
        if not device_config.get("a_b_partitioning"):
            issues.append("MEDIUM: No A/B partitioning — update failure bricks device")
        if not device_config.get("anti_rollback"):
            issues.append("HIGH: Device can be rolled back to vulnerable firmware")
        return issues

# Example
config = {
    "signed_updates": True,
    "secure_boot": False,
    "a_b_partitioning": True,
    "anti_rollback": False
}
updater = SecureUpdateMechanism()
issues = updater.check_update_readiness(config)
for issue in issues:
    print(issue)

Mitigation:

Code signing with hardware-anchored keys
Encrypted update payloads
Anti-rollback protection
Atomic updates (A/B partitioning)
Update server authentication

IOT5: Use of Insecure or Outdated Components

# Check firmware for outdated libraries (example with Binwalk)
binwalk -Me firmware.bin

# Extract filesystem and check library versions
# Look for:
# - BusyBox < 1.35 (known CVEs)
# - OpenSSL < 1.1.1 (TLS 1.3 not supported)
# - Dropbear SSH < 2022.82
# - SQLite < 3.40

IOT6: Insufficient Privacy Protection

IOT devices collect massive amounts of personal data. Requirements:

Data minimization (collect only what’s needed)
Clear privacy notice
User control over data collection
Data encryption at rest and transit
Secure data deletion on device decommissioning

IOT7: Insecure Data Transfer and Storage

# iot_data_security.py — IoT data protection patterns

class IoTDataSecurity:
    """Data protection patterns for IoT devices."""

    @staticmethod
    def secure_iot_protocols() -> dict:
        """Recommended protocols vs insecure alternatives."""
        return {
            "messaging": {
                "insecure": "MQTT without TLS (default port 1883)",
                "secure": "MQTT over TLS (port 8883) with client certificates"
            },
            "communication": {
                "insecure": "Zigbee without encryption key",
                "secure": "Zigbee 3.0 with APS encryption + Trust Center"
            },
            "local_network": {
                "insecure": "CoAP over UDP (no encryption)",
                "secure": "CoAP over DTLS (CoAPs)"
            },
            "cloud": {
                "insecure": "HTTP API without auth",
                "secure": "HTTPS with OAuth 2.0 or mutual TLS"
            },
            "storage": {
                "insecure": "Plaintext config files on flash",
                "secure": "Encrypted flash with TPM-backed keys"
            }
        }

    @staticmethod
    def check_protocol_security(device_protocols: list[str]) -> list[str]:
        """Check if IoT device uses secure protocols."""
        issues = []
        insecure_protocols = ["mqtt://", "http://", "coap://", "telnet://"]
        for protocol in device_protocols:
            for insecure in insecure_protocols:
                if protocol.startswith(insecure):
                    issues.append(f"Insecure protocol: {protocol}")
        return issues

IOT8: Lack of Device Management

Missing Feature	Impact	Solution
No inventory tracking	Unknown devices on network	IoT asset management system
No monitoring	Can’t detect compromised devices	Network behavior monitoring
No decommissioning	Config data persists after removal	Factory reset with secure erase
No remote disable	Can’t quarantine compromised devices	Cloud-based device management

IOT9: Insecure Default Settings

Common insecure defaults:

Default passwords (admin/admin)
Open network ports
Debug interfaces enabled (UART, JTAG)
Cloud connectivity enabled by default
No encryption
Permissive firewall rules

Fix: Ship devices in “secure by default” mode — require user to explicitly enable features rather than disable them.

IOT10: Lack of Physical Hardening

Physical attacks on IoT devices:

UART access — console access via serial pins
JTAG/SWD — debug interface for reading firmware
Flash desoldering — direct memory access
Side channel — power analysis, timing attacks

Mitigation:

Disable debug interfaces in production
Encrypt flash contents
Use secure enclaves for key storage
Tamper detection switches
Potting (encapsulating chips in epoxy)

Firmware Analysis Basics

# Step 1: Identify firmware file
file firmware.bin

# Step 2: Extract filesystem
binwalk -Me firmware.bin

# Step 3: Examine extracted filesystem
ls _firmware.bin.extracted/
cat _firmware.bin.extracted/etc/passwd   # Check for hardcoded accounts
cat _firmware.bin.extracted/etc/shadow   # Check for password hashes
grep -r "password\|secret\|token" . --include="*.conf" --include="*.py" --include="*.sh"

# Step 4: Check for default credentials
grep -r "admin" _firmware.bin.extracted/etc/ --include="*" 2>/dev/null

# Step 5: Check for hardcoded certificates/keys
find _firmware.bin.extracted/ -name "*.pem" -o -name "*.key" -o -name "*.crt"

# Step 6: Install outdated libraries
strings firmware.bin | grep -i "openssl\|libcurl\|busybox" | head -10

IoT Security Architecture

    flowchart TD
  subgraph "IoT Network Segmentation"
    IOT[IoT Devices] --> IoT_GW["IoT VLAN (10.0.10.0/24)"]
    IoT_GW --> FW[Firewall]
    FW --> INTERNET[Internet/Cloud]
    MAIN[Main Network] --> FW
    FW --> DMZ[DMZ]
  end
  subgraph "Security Controls"
    FW --> IDS[IDS/IPS]
    FW --> LOG[Logging/SIEM]
    FW --> VLAN["VLAN ACLs: Block IoT→Main"]
  end

Network segmentation best practices:

Place IoT devices on isolated VLAN
Block IoT→internal network traffic
Only allow IoT→internet via monitored proxy
Use separate SSID for IoT Wi-Fi
Apply per-device firewall rules

Common IoT Security Mistakes

1. Leaving Default Credentials

Default “admin/admin” credentials are the #1 cause of IoT compromise. Always change them.

2. Placing IoT Devices on the Main Network

IoT devices should be on a separate VLAN. A compromised camera should not have access to your laptop.

3. Never Updating Firmware

Most IoT devices have security patches available — but owners never apply them. Enable auto-update when available.

4. Ignoring Physical Security

Anyone with physical access to an IoT device can extract the firmware via UART or JTAG. Physically secure critical devices.

5. Using Insecure Protocols

MQTT without TLS, HTTP instead of HTTPS, Telnet instead of SSH. These are trivially intercepted.

6. No Inventory of Devices

You can’t secure what you don’t know about. Maintain an inventory of all IoT devices, their firmware versions, and network locations.

7. Trusting Cloud Dependencies

IoT devices often depend on cloud services. When the cloud service is breached or shuts down, the device may become insecure or non-functional.

Practice Questions

1. What is the #1 vulnerability in IoT devices according to OWASP?

Weak, guessable, or hardcoded passwords (IOT1). Default credentials like “admin/admin” are still the most common IoT security issue.

2. Why can’t IoT devices run traditional antivirus software?

Limited CPU, RAM, and storage — most IoT devices use low-power microcontrollers that can’t support full antivirus suites. Security must be built into the device from the start.

3. What is A/B partitioning and why is it important for IoT updates?

A/B partitioning has two firmware partitions. The device runs from partition A while updating partition B. If the update fails, the device boots from the working partition. This prevents bricking.

4. Why should IoT devices be on a separate VLAN?

To limit the blast radius. If a smart camera is compromised, the attacker should not have network access to workstations, servers, or other sensitive devices.

5. Challenge: Design an IoT security policy for a smart building with 200 sensors.

Include: network segmentation, default credential change on installation, firmware update schedule (monthly), monitoring with SIEM, vulnerability scanning quarterly, incident response plan for IoT breaches.

Mini Project: IoT Security Scanner

# iot_security_scanner.py
# Basic IoT device security assessment

class IoTSecurityScanner:
    """Scan IoT device configurations for security issues."""

    def __init__(self, device_name: str):
        self.device_name = device_name
        self.findings = []

    def check_password(self, password: str):
        """Check password strength and defaults."""
        defaults = ["admin", "password", "1234", "root", "default"]
        if password in defaults:
            self.findings.append({
                "check": "Default Password",
                "severity": "CRITICAL",
                "detail": f"Password '{password}' is a known default"
            })
        elif len(password) < 12:
            self.findings.append({
                "check": "Password Length",
                "severity": "HIGH",
                "detail": f"Password is {len(password)} chars (min 12 recommended)"
            })

    def check_protocols(self, protocols: list[str]):
        """Check for insecure protocols."""
        insecure = {"telnet": 23, "ftp": 21, "http": 80, "mqtt": 1883}
        for proto in protocols:
            if proto in insecure:
                self.findings.append({
                    "check": f"Insecure Protocol: {proto}",
                    "severity": "HIGH",
                    "detail": f"Port {insecure[proto]} — use encrypted alternative"
                })

    def check_update_mechanism(self, supports_updates: bool, signed: bool):
        """Check update mechanism."""
        if not supports_updates:
            self.findings.append({
                "check": "No Update Mechanism",
                "severity": "CRITICAL",
                "detail": "Device has no way to receive security patches"
            })
        elif not signed:
            self.findings.append({
                "check": "Unsigned Updates",
                "severity": "HIGH",
                "detail": "Firmware updates are not cryptographically verified"
            })

    def check_physical_ports(self, uart_enabled: bool, jtag_enabled: bool):
        """Check physical debug interfaces."""
        if uart_enabled:
            self.findings.append({
                "check": "UART Console Enabled",
                "severity": "MEDIUM",
                "detail": "Serial console accessible — potential for physical attacks"
            })
        if jtag_enabled:
            self.findings.append({
                "check": "JTAG Debug Interface",
                "severity": "HIGH",
                "detail": "Debug interface can be used to extract firmware and keys"
            })

    def report(self) -> dict:
        """Generate security assessment report."""
        by_severity = {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0, "LOW": 0}
        for f in self.findings:
            by_severity[f["severity"]] += 1

        return {
            "device": self.device_name,
            "total_findings": len(self.findings),
            "by_severity": by_severity,
            "score": max(0, 100 - (by_severity["CRITICAL"] * 25 +
                                   by_severity["HIGH"] * 10 +
                                   by_severity["MEDIUM"] * 5)),
            "findings": sorted(self.findings, key=lambda x: x["severity"])
        }

# Example assessment
scanner = IoTSecurityScanner("Smart Camera v2.1")
scanner.check_password("admin")
scanner.check_protocols(["http", "mqtt", "rtsp"])
scanner.check_update_mechanism(True, False)
scanner.check_physical_ports(True, False)
result = scanner.report()
print(f"\n=== IoT Security Assessment: {result['device']} ===")
print(f"Security Score: {result['score']}/100")
print(f"Findings: {result['total_findings']} "
      f"(Critical: {result['by_severity']['CRITICAL']}, "
      f"High: {result['by_severity']['HIGH']})")
for f in result['findings']:
    print(f"  [{f['severity']:8}] {f['check']}: {f['detail']}")

FAQ

Are IoT devices inherently insecure?

Many are — they’re designed for low cost and functionality, not security. However, security is improving with regulations like the EU Cyber Resilience Act and IoT Security Foundation standards.

How do I secure IoT devices at home?

Change default passwords, put IoT devices on a separate Wi-Fi network (guest network), disable features you don’t use (UPnP, WPS, remote access), check for firmware updates monthly, and buy from manufacturers with good security track records.

What is the Mirai botnet?

A notorious IoT botnet (2016) that infected cameras and routers with default credentials. It launched massive DDoS attacks against DNS provider Dyn, taking down Twitter, Netflix, and Reddit. It showed the world how dangerous insecure IoT devices can be.

Can IoT devices be used for physical attacks?

Yes — compromised smart locks, building access systems, medical devices, and industrial controllers can cause physical harm. This is why IoT security is a safety issue, not just a data issue.

What regulations exist for IoT security?

EU Cyber Resilience Act (2025), UK PSTI Act, California SB-327, and Singapore’s IoT labelling scheme. These require minimum security standards like no default passwords, security updates, and vulnerability disclosure.