Blog & Nl Banner 1200 300 (1200 X 500 Px) (1)

Top 6 IoT security myths – busted

Inspired by this great article on Hacker News, we decided to bust some common security myths specific to the field of connected devices. Even as we see awareness for cybersecurity increase, IoT/IIoT/OT security remains a blind spot in many organizations.  

Myth #1: IoT security is too expensive for my organization 

Fact: My organization will save money through IoT security 

In the past, security investments have often been considered a burdensome growth inhibitor. However, as cyberthreats and regulatory requirements are both on an exponential rise, “information security is increasingly being viewed as (a) strategic business enabler for the enterprise,” according to Dark Reading. Swisscom, the leading Swiss telecom provider, is a great example for how investing into automated IoT security pays off significantly: Swisscom automatically checks new software for its IoT products for potential security risks and compliance violations before the release – and saves USD 400.000 per avoided faulty software rollout! On the other hand, companies that take IoT security lightheartedly might find themselves at the center of a ransomware attack, with ransom demands easily amounting to millions.  

Myth #2: We have already checked our IoT devices – everything is OK  

Fact: IoT security is not a status, but an ongoing process 

With an ever-evolving threat landscape, there is no such thing as definite cyber security. On the contrary, security is an ongoing process, and organizations must constantly be on the lookout for new vulnerabilities. The same is true for IoT security, as cybercriminals are constantly leveraging new vulnerabilities for their attacks. This is where automated security & compliance services come into play. The IoT Inspector Monitor scans your IoT/OT firmware’s digital twins for new vulnerabilities and compliance violations. This service works fully automated and in case of a new vulnerability, you will receive an alert that empowers your SOC (Security Operations Center) or PSIRT (Product Security Incident Response Team) to evaluate the vulnerability and take action almost in real-time.  

Myth #3: My suppliers are responsible for the security of my IoT devices 

Fact: 92% of IoT devices are vulnerable, and unclear supply chains are a major risk factor 

92% of the firmware we have analyzed during the last years contained security vulnerabilities. Big brands are just as affected as lesser-known manufacturers. Almost all vendors rely on third party components (licensed or open source), and they integrate them often without testing or knowing exactly what other components they might contain. Insecure components may cause widespread damage: In 2021, we uncovered critical vulnerabilities in Realtek chips that affected hundreds of thousands of different devices by more than 65 (!) manufacturers. Regardless of whether you are a vendor or user of IoT devices – we strongly advise keeping track of all components via a thorough software bill of materials (SBOM). An automated firmware analysis with IoT Inspector will provide a detailed list of software and data components. 

Iot Security Myths Busted

Myth #4: My company is not at risk  

Fact: Every organization is a potential target for cybercriminals 

Some organizations still wrongly believe they are an unattractive target for cyber criminals. However, “no company or government agency is safe from cyberattacks in this day and age. That’s why it’s crucial to be prepared for emergencies and proactively address the issue of cybersecurity,” says Sebastian Artz of German IT industry association Bitkom. IoT Inspector’s CEO Jan Wendenburg couldn’t agree more: “Without IoT security, no company, organization, or government agency will survive in the future. Whether it’s critical infrastructure such as energy and water utilities, automotive, aviation, medical devices, network printers and even the vacuum cleaner robot at home – without IoT security, all devices and data can be compromised.” 

Myth #5: My IoT devices are not at risk because they don’t hold sensitive data  

Fact: Any device can be a hacker’s entry point into your corporate network to access sensitive data  

According to Kaspersky, 1.51 billion breaches of IoT devices took place in the first half of 2021 alone – an increase of more than 100% from 639 million breaches in 2020. Not every smart device holds sensitive data (although many of them do). However, every single connected device – if exploited successfully by attackers – can be used to pivot into sensitive networks, maintain persistence within the network, and stage additional attacks on systems that do hold sensitive data.  

Myth #6: My connected devices cannot be accessed from the Internet 

Fact: Vulnerabilities in other areas may expose a device 

Limiting access to IoT/IIoT/OT devices and placing them in restricted networks is a common strategy to mitigate potential risks that affect these devices. However, advancements of digitalization and Industry 4.0 require increased connectivity. A network change designed to allow remote maintenance may suddenly expose a vulnerable device. Additionally, vulnerabilities or misconfigurations in perimeter security may leave devices exposed as well. Following the defense in-depth principle, a system should never rely on other systems for security, but should be resilient itself. 


ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.



Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150