With growing adoption rates of IoT devices, including cars, it seems like a clear priority for manufacturers should be to protect said products from threats looming out in the digital world. But when those cars get hacked so the doors won’t unlock or home broadband routers turn into botnet slaves, the security picture gets murky.
But why? Some of it is a given. Companies go bust or get acquired, resulting in forgotten product lines with no support. Meanwhile, the speed of development in IoT is so fast that shipping a product now is considerably more important than its security.
Thus, the IoT sector is rife with vulnerabilities. So where does its secure salvation lie? At the hands of its makers or proprietors? The answer is complex.
Key points of this article:
- The growing adoption of IoT devices drives an increase in vulnerabilities both in business and in home settings.
- Security updates, more than ever, are key in tackling said weak points. However, the patching schedules and policies of device makers are inconsistent, especially for smaller smart devices like smart cameras, doorbells, or automation hubs. While supplementing IoT security with dedicated solutions could work, choices outside of computers and phones are limited.
- Particularly dangerous are discontinued legacy devices that are still in use. Awareness of the dangers of their use is fundamental to personal security efforts.
- While regulations can elicit changes in company patching strategies, they won’t act retroactively, and their global reach could be questionable.
Vulnerabilities galore
Let’s get one thing straight: Security updates matter. In a world that’s seeing record-breaking findings of vulnerabilities per quarter (as many as 12,796 just for fourth-quarter 2025), every piece of vulnerable software or hardware should be patched in a timely manner; otherwise, users might expose confidential data that they would not want to share with bad actors.
Researchers have found that 1 in 4 (25%) high-risk vulnerabilities are exploited within a day of their publishing, a staggering number that doesn’t leave much time for security teams to act.
According to Forescout, the average number of IoT vulnerability risks has jumped from 6.53 to 9.1, representing a 33% year-over-year rise for the top 10 countries (including Spain, the U.K., and China), with the riskiest devices being computers (obviously), routers (over 50% of these have the most critical vulnerabilities), Voice-over-Internet Protocol (VoIP), and servers.
Don’t assume that IoT security is solely a home-level issue though. With network access points such as routers being heavily featured in the corporate sphere, as well as phones, laptops, tablets, or connected printers, businesses are also in potential danger.
Smarter cities, dangerous exposure
Urban infrastructure is also becoming chock-full of IoTs. The privacy concerns of placing CCTV cameras around London pale in comparison to what’s being implemented these days. Cameras now use AI to identify residents, cities are implementing public Wi-Fi spots to reimagine the use of public spaces, public transport is full of connected payment terminals, and much more in a quest to improve the quality of services and citizens’ lives.
However, connectivity implies exposure, so the smarter our cities get, the more dangerous they might become. Just imagine what threat actors could do with access to AI-powered surveillance cameras whose feeds are just out there on the internet, unprotected.
Devices in danger
With such a high degree of risk associated with these devices, one would think that they’d be properly protected — which they are, in some cases. Particularly, responsible vendors like some phone manufacturers, such as Apple or Samsung, focus on device security with years of promised updates (in fact, the iPhone 5s released in 2013 received a security update in 2026!). Google now also promises seven years of security for its Pixel line of phones.
However, phones only represent a part of the IoT segment, and they’re usually equipped with additional security modules or software like ESET Mobile Security for Android, which can provide another layer of protection against threats like malicious apps.
However, smart cameras, doorbells, speakers, or home automation hubs might not share such transparent update policies, or even consistent updates. Security solutions for all things smart are also scarce, with only some, like solutions for TVs, being somewhat prominent. All in all, due to the diversity of IoT electronics, their update frequency can be spotty at best — and their security records even worse.
Of note are also discontinued, or legacy, devices, which people tend to use even after their sales/update periods have ended, but that’s more of an awareness problem than something related to manufacturer care (with some caveats, to be discussed later).
What makes the legacy device situation worse is how easily they can be exploited by bad actors, snooping on their unsuspecting owners.
Why are IoT devices so vulnerable?
Let’s start with some low-hanging fruit — the caveat mentioned previously: discontinued devices that are still in use.
Technically, there is no rule saying that manufacturers should provide security updates indefinitely, since keeping the tools and knowledge necessary for perhaps tens or hundreds of different products and lines might cost quite a lot of money.
Innovation is expensive, so vendors must balance ongoing maintenance with investing in new R&D—often nudging users to upgrade as a “can’t hurt to ask” strategy. Meanwhile, some older devices can, at best, survive thanks to the efforts of open‑source developers.
Furthermore, a company that ceases its operations will hardly keep providing updates unless a potential successor deems the older devices worthy of long-term support.
It’s also true that IoT devices have a small computational footprint (relatively speaking), so as a result, they rarely incorporate good security. However, all this together does not excuse short update periods, inconsistently pushed updates, or worse, devices requiring manual flashing, which not every consumer would be accustomed to outside the IT sphere. Putting the onus on freelance contributors and consumers is not a very brand-trust-building move.
Where are those IoT updates?
Another point to consider is that even if those updates are out there, finding them might be problematic. Sure, some devices are updated automatically without any manual action necessary, but since even that measure can fail sometimes, it’s a good idea to periodically check software release notes on a manufacturer’s page to see whether you have the latest update available. Additionally, whenever purchasing an IoT device, do a bit of research and verify the intended support window. You really don’t want to run out of security in a year.
Unsecure by design
The challenge is that security is often seen as just an afterthought for IoT devices. Manufacturers focus on simplicity and usability while keeping the costs down, and continuous support might be an overhead that presents a low return on investment. Why continue investing in an old product when you can sell a new one with better technology (exceptions exist, of course) at a higher cost?
However, regulatory bodies are taking notice. In the European Union, the NIS2 Directive and the EU Data Act focus on cybersecurity-related matters, calling for better data risk management. This is in part due to high-profile incidents in the past involving IoT products such as connected cameras, which allowed hackers to peer into people’s homes.
Will these regulations bring about profound change? Perhaps. But there’s about 15 billion IoT devices in the world, and the EU only represents a fraction of them. The chances for a drastic change might be slim, but maybe the Brussels Effect will turn up in this case as well.
How to take care of IoT security
There are two sides to how IoT security should be maintained:
- Manufacturers: Provide clear, transparent timelines for the period during which devices will be updated, with an emphasis on making the customers aware of why said updates are necessary. This should go hand in hand with the high regularity of updates, as well as making them easy to apply.
- Consumers: Try to purchase products that check off all the above-mentioned criteria. An emphasis on transparent and timely security can save you a lot of headaches in the future. When possible, apply additional security solutions (such as for smart TVs, phones, or computers) to add a stronger safety net in case things go wrong.
In between the two, government regulations will likely fill in the necessary gaps or at least force the manufacturers to reassess their security standards. While we cannot hope for a considerable upgrade across the line on IoT security maintenance, with sustained demand for more secure devices and consumer awareness, certain things could possibly change for the better.
Protect your privacy and secure yourself at home or on the road with ESET HOME Security Ultimate, which includes identity protection and unlimited VPN for a more secure online experience.
