IoT security gaps expose identity and access risks across devices

At a glance

What this is: This is a practical overview of IoT security and the ways insecure connected devices become entry points for compromise, data theft, and network disruption.

Why it matters: It matters because IoT devices expand the identity and access surface, forcing IAM, NHI, and security teams to treat each device as a governed access path rather than a harmless endpoint.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read Keeper Security's guide to IoT security risks and device protection

Context

IoT security is the discipline of protecting connected devices and the networks they join from unauthorized access, data theft, and abuse. The core identity problem is that every smart device introduces another trust boundary, and many of those devices ship with weak authentication, default settings, or poor update hygiene.

For IAM and security teams, the important issue is not the device category itself but the access it creates. A camera, thermostat, wearable, or medical sensor can become a foothold into the wider network if its credentials, network exposure, or administrative controls are weak.

That is why IoT governance starts looking like NHI governance in practice: short-lived devices, persistent credentials, limited visibility, and a need to control lifecycle as much as connectivity. The article’s baseline assumption is typical, not exceptional, because most environments accumulate connected devices faster than they mature controls.

Key questions

Q: How should security teams secure IoT devices in enterprise environments?

A: Start by treating each device as a governed identity with unique credentials, restricted network reach, and a defined owner. Then segment IoT traffic, enforce patch discipline, and remove shared access that lets one compromised device become a reusable foothold. The goal is to reduce identity blast radius, not just to harden endpoints.

Q: Why do weak IoT credentials increase lateral movement risk?

A: Weak credentials make it easy for an attacker to turn one device into a trusted network entry point. Once inside, the attacker can reuse that access to reach other devices or services that share the same network, admin patterns, or trust assumptions. That is why credential uniqueness and segmentation matter together.

Q: What do organisations get wrong about IoT security?

A: They often focus on device features while ignoring the access model behind the device. In practice, the biggest failures come from default passwords, poor update discipline, and unclear ownership. If the organisation cannot answer who manages the device and how its access is revoked, the security model is already weak.

Q: What should teams do when an IoT device is no longer needed?

A: Remove it from the network, revoke its credentials, wipe or reset it according to policy, and update the inventory so the device no longer counts as a trusted access path. Offboarding matters because forgotten devices can keep old trust and network reach long after their purpose has ended.

Technical breakdown

Weak authentication on IoT devices

IoT devices often rely on default passwords, shared credentials, or simple login flows that are easy to guess or reuse. Once an attacker authenticates to a single device, the device becomes a valid access path into the environment rather than just a gadget on the network. That matters because identity is now attached to hardware, not just users. The result is a control problem, not just a device problem: access scope, credential uniqueness, and administrative reach determine whether compromise stays local or spreads across the network.

Practical implication: inventory every device account and replace default or shared credentials with unique identities and enforced admin controls.

How IoT devices become lateral movement paths

Compromised IoT devices can be folded into botnets or used as staging points for cross-device attacks. In that model, the device does not need to be valuable on its own. It only needs enough network reach, trust, or unmanaged connectivity to let an attacker move laterally. This is why segmentation matters. A camera or thermostat should not be able to reach systems that hold sensitive data, and its identity should not grant broad access just because it sits on the same network as work devices.

Practical implication: segment IoT networks from business systems and remove unnecessary east-west access between connected devices.

Why updates and physical security are identity controls

Outdated firmware, unpatched services, and exposed physical ports all widen the attack surface of IoT identities. If a device can be tampered with, reset, or reconfigured in person, the attacker can bypass remote controls entirely. Similarly, missed updates leave known vulnerabilities open long after vendors have published fixes. In IoT environments, patching and tamper resistance are not secondary hygiene tasks. They are part of identity assurance, because they determine whether the device still deserves the trust the network gives it.

Practical implication: enforce update SLAs, verify patch status continuously, and secure devices physically wherever they are deployed.

Threat narrative

Attacker objective: The attacker wants to turn a low-trust connected device into a reusable foothold for theft, disruption, or broader network compromise.

1. Entry occurs when an attacker targets an exposed IoT device through weak authentication, default passwords, or an unprotected network service.
2. Escalation follows when the compromised device is used to reach other systems on the same network or is added to a botnet for repeated abuse.
3. Impact comes through data theft, identity theft, service disruption, or DDoS traffic that overloads the victim’s network or internet-facing services.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

IoT devices should be treated as non-human identities, not passive endpoints. The article’s real security lesson is that each connected device carries its own authentication, authorization, and lifecycle burden. That makes IoT a governance problem as much as a device-hardening problem. Practitioners should stop thinking about devices as inventory and start treating them as access-bearing identities.

Weak IoT authentication is a standing-privilege problem in disguise. Default passwords, shared credentials, and static access settings give devices more enduring trust than they deserve. Once one device is compromised, the attacker often inherits a stable path into the environment. That is the same structural failure identity teams see in over-provisioned service accounts: access persists longer than its intended purpose, so containment becomes harder than prevention.

Identity blast radius is the right named concept for IoT risk. A single compromised sensor, camera, or wearable can expose an outsized amount of network reach when segmentation is weak and administrative settings are loose. The issue is not device count alone. It is how far one device identity can move, observe, or disrupt once trusted by the network. Practitioners should design controls around blast radius, not just device hygiene.

IoT governance now overlaps with NHI lifecycle discipline. Devices that remain connected after they are no longer needed create the same offboarding failure pattern seen in machine identity sprawl. If the device is forgotten, its credentials, firmware, and network trust can outlive the business reason for deployment. The implication is that lifecycle control, not just monitoring, is required to prevent silent accumulation of risk.

Human remote-work assumptions leak into IoT risk models. The article notes that unsecured home devices can expose work devices on the same network, which means personal and enterprise trust boundaries now intersect. That creates a governance gap between human identity, home connectivity, and machine access. Practitioners need policies that assume shared networks are part of the enterprise attack surface.

From our research:

• Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging (37%) and over-privileged accounts (37%), according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly unmanaged access can outgrow governance.
• For a broader breach lens, see 52 NHI Breaches Analysis for real-world examples of how identity exposure turns into lateral movement and impact.

What this signals

Identity programs will keep absorbing IoT until device trust is governed the same way machine trust is governed. That means owners, network zones, patch status, and revocation paths need to be visible in the same place as credentials and access scope. The teams that continue to separate endpoint management from identity governance will keep missing the access paths that actually matter.

Device sprawl creates the same hidden trust debt seen in NHI environments. The more connected devices an organisation accepts, the more it accumulates dormant credentials, forgotten admin access, and stale firmware risk. Practitioners should prepare for IoT governance to become a lifecycle and offboarding issue, not just a security hygiene issue.

As remote and hybrid work persist, home networks remain part of the enterprise attack surface. That changes policy design, because personal devices, IoT devices, and work devices can now share the same trust boundary. Teams should align IoT controls with NIST Cybersecurity Framework 2.0 and NIST SP 800-207 Zero Trust Architecture so segmentation and verification apply consistently.

For practitioners

• Inventory every connected device identity Build a complete register of IoT devices, their credentials, network location, owner, and business purpose so you can see which identities can authenticate and where they are allowed to connect.
• Replace default and shared credentials Assign unique passwords or keys to each device and remove any shared administrative access that makes one compromise reusable across multiple endpoints.
• Segment IoT from sensitive systems Place IoT devices on restricted network segments and block unnecessary routes to business applications, data stores, and administrative consoles.
• Enforce patch and firmware update SLAs Track update status continuously, apply security patches quickly, and quarantine devices that cannot be remediated within policy.
• Lock down physical access and reset paths Protect devices from tampering by using secured enclosures, limiting console access, and removing easy physical reset opportunities that bypass remote controls.

Key takeaways

• IoT security failures are identity failures when devices rely on weak authentication, default access, and unclear ownership.
• Compromised connected devices can expose the wider network through lateral movement, data theft, and DDoS abuse.
• Practitioners should manage IoT devices as access-bearing identities, with segmentation, rotation, patching, and offboarding controls.

Key terms

• IoT security: IoT security is the practice of protecting connected devices, their credentials, and the networks they join. It covers access control, patching, segmentation, and monitoring so a device cannot be used as an easy entry point into wider systems.
• Device identity: Device identity is the set of credentials, trust relationships, and access permissions assigned to a connected device. For IoT, that identity must be unique, revocable, and scoped tightly because the device can authenticate to networks and services just like other non-human identities.
• Attack surface: Attack surface is the total set of ways an attacker can interact with a system. In IoT environments, it includes exposed services, default settings, unpatched firmware, physical access points, and any network path that lets one device reach another.
• Network segmentation: Network segmentation is the separation of systems into restricted zones so compromise in one area does not automatically expose the rest. For IoT, it limits how far a compromised device can move and reduces the blast radius of weak or stolen device credentials.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance, it is worth exploring.

This post draws on content published by Keeper Security: What Is IoT Security? Read the original.