The UK Department for Science, Innovation and Technology (DSIT) has released a report uncovering significant cybersecurity vulnerabilities in enterprise Internet of Things (IoT) devices. Conducted by NCC Group, the study identifies serious remote code execution flaws that could enable unauthenticated attackers to take full control of devices over networks. These connected devices include Internet Protocol (IP) cameras, Voice over Internet Protocol (VoIP) phones, Network Attached Storage (NAS), and meeting room panels, all commonly used in business environments.
The research aims to highlight security weaknesses that pose risks to the IT systems of businesses. The initiative forms part of a broader government effort to enhance cyber resilience across the UK economy. A notable finding is the widespread presence of outdated software in these devices, with some bootloaders being more than 15 years old. Such outdated software presents significant risks due to exploitable vulnerabilities it may contain. Addressing these issues requires a robust software patching policy, although challenges persist due to intermittent internet access and non-streamlined firmware update procedures for connected devices.
Security flaws in device protections
The report also reveals inadequate boot integrity protections or secure boot mechanisms in most devices tested. Without these safeguards, devices cannot effectively verify filesystem modifications or detect tampering, allowing attackers with physical access to compromise a device fully and install persistent backdoors. Furthermore, the study identifies that many devices operate all processes under the highly privileged “root” user, potentially granting attackers unrestricted access if any vulnerabilities are exploited. The lack of sufficient privilege separation and process segregation exposes these devices to unnecessary risks.
Insecure configurations of services and applications are another common issue highlighted by the assessment. While these configurations may not individually pose high risks, they can be combined with other vulnerabilities to amplify their impact. This emphasises the importance of a comprehensive defence strategy incorporating various security measures.
The assessment was conducted from January to March 2023 and provides a broad overview of the current security posture of enterprise IoT devices against government and industry-recommended security principles. These findings were evaluated against standards such as the National Cyber Security Centre’s Device Security Principles and the ETSI EN 303 645 standard, with significant variations observed in adherence among different devices.
Devices for this study were selected through a collaborative process between NCC Group and DSIT, representing a range of global brands and manufacturers to reflect common enterprise IoT usage. Each category included both “low-end” and “high-end” models to mirror the diversity available in the marketplace.
While outdated software poses continual challenges for customers due to restricted internet access and non-streamlined update procedures, vendors contribute to this issue by relying on third-party software without regular patching plans.
In a related development in the US, the White House announced the introduction of the U.S. Cyber Trust Mark in January 2025. This voluntary cybersecurity labelling program aims to improve the safety of wireless smart devices and IoT products. Administered by the Federal Communications Commission (FCC), the initiative helps consumers identify devices that adhere to cybersecurity standards established by the National Institute of Standards and Technology (NIST). The programme applies to a range of products, including fitness trackers, smart appliances, and voice-activated assistants, and is scheduled for full implementation this year.
Read more: US introduces Cyber Trust Mark initiative for smart devices and IoT security
