IoT devices introduce a surprisingly wide range of risks, from weak passwords and data harvesting to physical safety threats and devices that stop working entirely when a manufacturer shuts down its servers. With roughly 22 billion IoT devices projected to be connected worldwide by 2026, these risks affect nearly everyone who owns a smart speaker, connected thermostat, fitness tracker, or internet-enabled appliance.
Weak Passwords and Insecure Defaults
The single most common IoT vulnerability is weak, guessable, or hardcoded passwords. Many devices ship with default credentials like “admin/admin” that users never change, and some have passwords baked into their firmware that can’t be changed at all. Attackers use automated tools to try thousands of common passwords per minute, and a device with a default login is typically compromised within hours of being connected to the internet.
Insecure default settings go beyond passwords. Many devices arrive with unnecessary network services running, remote access enabled, or encryption turned off. If you can’t modify these configurations, the device remains vulnerable for its entire lifespan. The OWASP Internet of Things project ranks these two issues (weak passwords and insecure defaults) among the top ten IoT security risks for good reason: they’re the easiest for attackers to exploit and the most common across product categories.
Data Privacy and Unauthorized Collection
IoT devices collect far more personal data than most people realize. A smart speaker records voice clips. A fitness tracker logs your location, heart rate, and sleep patterns. A connected doorbell captures video of everyone who approaches your home. This data often flows to cloud servers where it may be shared with third parties, sometimes without meaningful user consent.
The types of data at risk go well beyond your name and email address. Research into IoT privacy risks has categorized exposed personal information into four layers: what you know (your name, address, security answers), what you have (credit card numbers, government IDs), what you are (biometrics like fingerprints or facial geometry), and what you do (location patterns, browsing habits, shopping behavior). That last category is especially valuable to data brokers and especially difficult to protect, because IoT devices generate it passively just by being turned on.
Unauthorized data access is widespread in the app ecosystems that control IoT devices. Studies have found extensive unauthorized data collection in mobile apps, reaching beyond basic identifiers into geolocation and personal health information. Third-party software libraries embedded in these apps can silently collect and leak data without the user or even the app developer being fully aware.
Unpatched Software and Missing Updates
Many IoT devices lack a secure update mechanism entirely. This means no way to validate that a firmware update is legitimate, no encryption protecting the update during download, and no notification when a security patch becomes available. Some devices simply never receive updates after they’re sold.
Even when updates exist, IoT products frequently rely on outdated or deprecated software components and libraries with known vulnerabilities. A smart camera running a five-year-old version of its operating system may have dozens of publicly documented security holes that any moderately skilled attacker can exploit. Unlike your phone or laptop, which prompts you to install updates regularly, most IoT devices sit on your network in whatever state they were in when you plugged them in.
Network Intrusion Through IoT Devices
One of the less obvious but more dangerous risks is that a compromised IoT device becomes a doorway into the rest of your network. Attackers don’t necessarily care about your smart lightbulb itself. They care that the lightbulb sits on the same network as your laptop, your phone, and your file server.
This technique is called lateral movement. Attackers compromise an edge device with weak security controls, then leverage its trusted position on the network to reach more valuable targets. In corporate environments, a compromised IoT sensor in a conference room can provide access to internal systems that would otherwise be protected by firewalls and authentication. In a home network, a vulnerable baby monitor or smart plug can expose every other device sharing that Wi-Fi connection. IoT devices are attractive entry points precisely because they’re often overlooked in security planning.
Physical Safety Threats
When IoT devices control physical systems, security failures can cause real harm. This risk is most acute in medical and industrial settings, but it extends to consumer products like smart locks, garage door openers, and connected vehicles.
During the COVID-19 pandemic, cyberattacks against medical IoT devices caused ambulances to be rerouted, radiation treatments for cancer patients to be delayed, and medical records to be encrypted or permanently lost. Hackers have demonstrated the ability to take control of medical devices, alter their configurations, and effectively turn them into weapons. Consider what happens if an attacker changes the readings on a connected glucose monitor or pulse oximeter by even a small amount: clinicians relying on that data could recommend wrong medication dosages with potentially fatal consequences.
In smart homes, the stakes are lower but still meaningful. A compromised smart lock can grant physical access to your house. A hacked thermostat could disable heating in winter. Connected smoke detectors that lose their cloud connection might fail to send alerts.
Devices Bricked by Cloud Shutdowns
Beyond security threats, IoT devices carry a risk that’s unique to connected products: they can stop working when the manufacturer decides to shut down the cloud service they depend on. This has happened repeatedly across major brands.
In 2022, the home automation company Insteon collapsed and shut down its cloud servers without warning, leaving customers across the U.S. and Canada with switches, lamps, and thermostats that suddenly did nothing. Amazon discontinued its Echo Connect after roughly seven years on the market. Apple’s original HomePod speakers lasted from 2018 to 2021. When Vorwerk shut down the Neato cloud service for its robot vacuums, recently purchased hardware lost the ability to schedule cleanings, remember room maps, or respect no-go zones overnight. The vacuums still technically worked, but only as “dumb” machines you start by pressing a button.
German network equipment maker Devolo announced the end of its Home Control product line, with app support for radiator thermostats, motion sensors, and smart plugs ceasing by the end of 2025. In every case, functioning hardware became electronic waste because the cloud it depended on disappeared. This is a risk unique to IoT: you don’t truly own a device if it requires a server you don’t control.
Lack of Device Management Over Time
Most people install an IoT device and forget about it. That’s a problem because these devices need ongoing management: monitoring for unusual behavior, applying updates, tracking which devices are still on your network, and securely wiping devices before disposing of them. Few consumer IoT products provide tools for any of this.
Without proper device management, you may not know when a device has been compromised, when its software has reached end of life, or when it’s communicating with servers it shouldn’t be. In a household with a dozen or more connected devices (which is increasingly common), this lack of visibility creates a growing blind spot in your home security.
How Regulations Are Catching Up
Governments are starting to address these risks through legislation. The EU’s Cyber Resilience Act, which takes effect in stages through 2026, introduces mandatory cybersecurity requirements for manufacturers covering the planning, design, development, and maintenance of connected products. Manufacturers will be required to handle vulnerabilities throughout a product’s lifecycle and report actively exploited vulnerabilities. Products deemed particularly relevant for cybersecurity will need third-party security assessments before being sold in the EU.
In the United States, the FCC’s Cyber Trust Mark program takes a labeling approach. Qualifying consumer IoT products will carry a mark accompanied by a QR code you can scan to see security information: how to change the default password, whether updates are automatic, how to configure the device securely, and the minimum support period before the manufacturer stops issuing patches. That last detail, the support end date, is something consumers have never had access to before and directly addresses the cloud shutdown problem.
These programs are still in early stages, and the vast majority of IoT devices currently on the market were built without these standards in mind. For now, the most practical steps you can take are changing default passwords immediately, placing IoT devices on a separate network from your computers and phones, checking whether your devices still receive security updates, and thinking carefully before buying products that depend entirely on a manufacturer’s cloud service to function.