The UK government has opened a consultation on IoT security to seek views from industry and the public on what would be appropriate to tackle the issue.

Saying that vulnerable devices can provide a route for hostile actors to attack the IT systems used by businesses, and as part of the government’s work to address this issue and improve cyber resilience across the UK economy, the call for views ends on 7th July 2025.

Outdated and Inadequate

In research from NCC Group, on behalf of the UK government, it determined that IoT devices in the enterprise are a major liability, with many organisations running old and outdated software and not adhering to security standards.

It found that outdated software was prevalent across devices, with one device’s bootloader being over 15 years old. “Outdated software can often contain security vulnerabilities that can be exploited by attackers,” the research claimed. “A robust and proactive software patching policy is essential.”

The majority of devices did not utilise sufficient boot integrity protections or secure boot, meaning devices will not adequately check the filesystem for modifications or for tampering. In most cases, an attacker with physical access to a device would be able to fully compromise a device and install a persistent backdoor.

Few analysed devices used adequate privilege separation and process segregation, with the majority of devices running all processes as the highly privileged “root” user. This exposes devices to unnecessary additional risk as any vulnerabilities discovered may be exploited with elevated permissions giving an attacker unrestricted access or control of a device.

Finally, many of the discovered issues showed generally insecure configuration of services, applications or features. These issues highlight areas in which manufacturers have configured the device in either a default or insecure manner and whilst these issues may not be high risk in themselves, in some cases they can be chained together to increase the impact of other vulnerabilities.

Afterthought

Commenting, Sylvain Cortes, VP strategy at Hackuity, said: “The fact that outdated software and unpatched solutions are ‘prevalent across devices’ is particularly worrying. Ultimately, the onus is on the manufacturers of devices to ensure their products are truly secure by design, but this still doesn’t seem to be a priority.

“One of the key issues is that many IoT devices are still built with usability first and security as an afterthought. In particular, the report highlighted how privileges can be escalated which provides an open door for attackers not only to gain access but also to move laterally once they are inside.

“The report is a timely reminder that we have to make sure that, as the attacks surface expands, functionality is not sacrificed for the security of our systems, networks and sensitive data.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.