IoT security: identifying and closing security gaps

IoT security has become business-critical: In modern companies, more and more devices are communicating with each other in real time. But the greater the level of connectivity, the larger the attack surface – because every IoT device represents a potential entry point into the corporate network. According to The State of IoT Security 2023 report by Forrester Research , IoT devices were the most common target of external attacks last year.

For businesses in particular, security gaps can have serious consequences, such as unexpected production downtimes or severe data protection violations. Find out here which typical IoT security vulnerabilities can arise – and how you can effectively protect your systems.

Internet of Things security encompasses all technical and organisational measures designed to protect connected devices and their communication pathways from unauthorised access. These include, for example, encrypted data transmission, device authentication and the targeted isolation of sensitive network segments.

Unlike traditional IT security, IoT security takes into account not only servers and software but also physical components such as machines, sensors or vehicles. As many of these devices cannot be centrally managed or regularly updated, conventional protective measures often reach their limits.

The goal of IoT security is to protect internet-enabled devices, their data flows and the underlying infrastructure from threats effectively. A comprehensive security strategy therefore forms the essential foundation for the successful and trustworthy use of IoT in business.

The number of connected devices is growing rapidly: According to a 2022 study by the Ponemon Institute , the average company already manages around 135,000 endpoints. This sheer volume presents major security challenges. One of the greatest challenges is ensuring full visibility and control over all deployed IoT devices. Without comprehensive knowledge of their own infrastructure, companies often fail to detect security gaps – and cannot close them effectively. Especially in complex environments with multiple locations or externally integrated devices, this creates a risky security gap. To protect IoT systems effectively, businesses require an advanced understanding of network security and complete transparency of all active components.

Many of these devices also come from different manufacturers with varying security standards. In addition, many IoT devices communicate via standard internet protocols such as TCP/IP – protocols that were not originally designed to meet today's security requirements. This makes robust IT security for TCP and IoT networks  even more important, as it must also secure these fundamental communication channels.

In practice, typical security vulnerabilities often arise from a lack of basic protective measures. These include:

• Default passwords: Devices with preset login credentials (e.g. “admin/admin”) are a common entry point and pose a significant security risk, especially when used in large numbers.
• Unencrypted communication: Many IoT devices transmit sensitive data without encryption. Without end-to-end encryption, manipulation and data theft are easily possible.
• Lack of update capability: Some devices cannot be updated or receive no manufacturer updates, leaving known IoT security vulnerabilities unresolved.
• Low hardware security: To save costs, some devices include only minimal security features. Missing TPMs, open interfaces or unsecured storage areas make them more vulnerable to attacks.

• DNS vulnerabilities: IoT devices often use DNS systems that are susceptible to spoofing, DDoS attacks and DNS tunnelling.
• IoT botnets: Unprotected devices are frequently recruited into botnets and misused for DDoS attacks.
• Ransomware attacks: IoT devices are increasingly used as entry points for ransomware attacks, where data can be encrypted or sensitive information stolen.
• Insecure MQTT connections: MQTT is a commonly used protocol in IoT environments, enabling fast and lightweight data transfer – but it poses security risks if operated without encryption or authentication. Without proper protection, attackers can intercept, manipulate or inject messages.

• Lack of transparency and shadow IoT: Without full visibility of all IoT components, vulnerabilities cannot be identified or addressed. Shadow IoT devices that are not officially managed fall completely outside of control.
• Physical manipulation: In many industries, IoT devices are freely accessible and therefore prone to direct access, data theft or tampering.
• Insufficient monitoring: Without real-time monitoring, suspicious activities often go unnoticed for a long time – increasing the risk.
• Missing end-to-end encryption strategy: Without a consistent encryption approach, devices remain exposed to attacks.

An effective IoT security strategy combines technical measures and binding standards at all levels – from the device to the cloud. The following best practices help close vulnerabilities systematically:

• Strong passwords and access protection: Avoid default passwords. Instead, use complex and regularly updated credentials, supported by two-factor authentication or role-based access rights.
• Network segmentation: Operate IoT devices in separate network segments (VLAN or dedicated mobile network) to contain potential attacks.
• Certified devices: Use standards like ETSI EN 303 645 as well as test specifications and conformity assessments from the BSI to ensure high-quality, secure components.
• Complete inventory of all IoT components: Maintain a full list of devices to enable targeted monitoring and protection.
• End-to-end encryption: Encrypt data both during transmission and on the devices themselves.
• Automated monitoring and vulnerability scans: Real-time monitoring and automated scans enable rapid detection and mitigation of risks.
• Conduct regular security audits: Technical audits and penetration tests help identify vulnerabilities early and monitor security performance continuously.
• Establish awareness and training: Raise employee awareness through regular training sessions to reduce risks in handling IoT devices.
• Protect against physical access: Measures such as robust housings with tamper protection or restricted physical access help secure exposed devices.
• Implement security governance: Clear responsibilities, binding policies and regular training form the foundation of a sustainable IoT security strategy.

The more extensively businesses use IoT technologies, the more crucial it becomes to secure them. A single compromised device can jeopardise entire processes. IoT security must therefore be an integral part of every digital strategy. Companies that adopt clear standards, secure architectures and certified components early on will gain a long-term competitive advantage.

Telekom offers the right infrastructure solutions for this purpose – including powerful IoT connectivity via mobile networks and scalable, secure networking solutions.