Connected devices operate in complex ecosystems that traditional security approaches often fail to protect. This is due, in part, to their unique characteristics —limited resources, extended lifespans, physical accessibility, and intricate supply chains— that create security challenges that are fundamentally different from conventional IT systems.
The number of IoT devices worldwide is projected to reach 32 billion by 2030, nearly tripling from the 9.7 billion connected devices in 2020. With explosive growth happening across consumer products, healthcare equipment, industrial systems, and critical infrastructure, the widespread use of interconnected technologies is introducing significant security threats and vulnerabilities.
As security risks escalate, regulatory bodies worldwide have responded with increasingly stringent compliance requirements. For manufacturers and organizations deploying connected devices, understanding these security challenges isn't merely a technical concern—it's becoming a critical regulatory obligation with serious business implications.
Connected devices face security challenges that stem from their fundamental characteristics. Unlike traditional computing systems, these devices often operate with significant constraints:
Connected devices don't exist in isolation—they form complex ecosystems that interact with multiple networks, cloud services, mobile applications, and other devices. Unlike traditional IT systems, these devices often operate in constrained environments with limited processing power and memory, making them challenging to secure. Each connection point represents a potential entry for attackers.
Consider smart home environments, where a single vulnerability in a thermostat or doorbell camera could provide access to the entire home network. In healthcare, connected medical devices like infusion pumps or patient monitors may connect to hospital networks, potentially exposing sensitive systems to compromise if not properly secured. Industrial control systems face similar challenges, where connectivity between operational technology (OT) and information technology (IT) networks creates new attack pathways.
Modern connected devices rely heavily on a complex web of third-party components, libraries, and open-source software. This reliance on external components introduces significant security gaps that manufacturers may not even be aware of.
84% of codebases contain at least one open-source vulnerability, with the average codebase containing 595 dependencies.
The challenge extends beyond software components too. Hardware components sourced from multiple vendors, often with limited transparency into their security practices, further complicate the security picture. When vulnerabilities are discovered in these components, identifying affected devices and coordinating patches becomes tremendously difficult.
Connected devices like industrial control systems, medical devices, and even some consumer products like smart refrigerators or HVAC systems are designed for extended operation. This extended lifespan creates significant security challenges as new vulnerabilities, threats, and exploits are found in the included software components over time.
Many devices lack automatic update mechanisms, have limited processing power to support new security features, or eventually lose vendor support entirely while actively deployed and operated. The result is a growing population of "legacy" connected devices that cannot be adequately secured against new threats but remain in active use. Each unpatched device represents an expanding security risk over time.
71% of security professionals find patching vulnerable systems overly complex, cumbersome, and time-consuming, with IoT and embedded devices being particularly problematic.
Many connected devices continue to ship with default or hardcoded passwords that users never change. This basic security mistake has led to some of the most devastating cyberattacks targeting connected devices, including the infamous Mirai botnet, which caused widespread internet outages in 2016. More recent botnet variants continue to exploit devices with default passwords, highlighting that this fundamental security issue remains unresolved in many product categories.
86% of router admin passwords have never been changed.
Regulatory frameworks, such as the UK’s PSTI Act, are now requiring manufacturers to eliminate default passwords and implement stronger authentication mechanisms.
Traditional security monitoring tools are designed for conventional IT environments and often cannot effectively monitor connected devices. Without proper monitoring capabilities, silent failures or subtle performance changes that might signal security breaches often go unnoticed until significant damage has occurred.
Many connected devices utilize legacy or proprietary communication protocols that weren't designed with security in mind. For example, Industrial control systems often rely on protocols like Modbus or BACnet that lack built-in authentication and encryption.
A 2023 study by CyberX found that 71% of industrial sites use plaintext passwords in their control systems.
Even newer devices sometimes prioritize operational functionality and backward compatibility over security, continuing to implement vulnerable communication methods that expose sensitive data and control channels.
Resource constraints often force manufacturers to implement weak encryption or forego it entirely. Many connected devices lack the processing power, memory, or battery capacity to support strong cryptographic algorithms, exposing sensitive data, credentials, and commands to interception.
According to a Unit 42 IoT Threat report, 98% of IoT device traffic is unencrypted
Connected devices often collect vast amounts of sensitive data, from health metrics to behavioral patterns and location information. Securing this data throughout its lifecycle—during collection, transmission, storage, and processing—represents a major challenge that intersects with both security and regulatory compliance.
The Consumers International and Internet Society’s Joint Report found that 63% of consumers are worried about how their data is being used by connected devices.
Unlike traditional IT assets that typically reside in secured facilities, connected devices are often deployed in physically accessible locations. Smart home devices, public infrastructure sensors, and even medical devices may be accessible to unauthorized individuals.
Physical access to a device can enable attackers to extract firmware, access debug interfaces, or modify hardware in ways that compromise security. These attacks are particularly concerning because they may bypass many software-based security controls.
At Finite State, we help manufacturers secure complex connected ecosystems with unmatched depth—combining deep binary analysis, continuous SBOM lifecycle management, and rigorous vulnerability assessment to mitigate risk and ensure compliance.
Whether you're navigating evolving regulations like the EU Cyber Resilience Act, enhancing your secure development lifecycle, or preparing for penetration testing, our centralized platform and advisory services are built for the unique realities of embedded and IoT systems.
Secure your connected devices with confidence 👉 Contact Finite State today to schedule a consultation or learn how our solutions can support your product security strategy.