Insecure IoT Devices cause Organizational Risk

November 14, 2025

We have some new articles coming soon on some interesting facets of AI data generation, but ran across some items recently to share. Recently while working with a client we found the devices posting to a vendor MQTT server as the standard configuration. Although the devices could be reconfigured, it was not obvious and the official configuration recommendation was to simply leverage the standard vendor's MQTT server as the data integration point.

The problem is that the vendor did not filter cross-client data messages, allowing any customer to consume all other customers data from the messaging system. As the messages are not encrypted, anybody can connect and consume all messages sent from all devices configured with a default configuration. Over several days that is hundreds of thousands of messages.

It gets worse.

The MQTT broker from this vendor also allows configuration messages to be sent through the broker to be consumed and processed by the end devices, no authentication or digital signature required. Post the configuration, and the device will consume and process it on the next connection. On a broker that is not adequately filtering cross-tenant messages and information.

This is a problem. In theory a denial of service attack could be done to reconfigure many devices into an inoperable state, but the configuration could be more malicious and subtle as well. Adjusting the reporting configuration, device report destinations, and other changes could make monitoring and tampering much more difficult to detect. It's one thing to have an outage, it's totally different to have undetected tampering.. especially on edge devices.

This post isn't a specific configuration directive and not intended to call out an IoT device vendor, but rather a cautionary tale. Know where your data is going, track the configuration of your devices, and secure the reporting and configuration channels across your infrastructure. This vendor was providing a useful service to help people get things started, but many customers simply let it ride and have placed data and devices at risk.

We provide support for many types of devices, including an assessment of current devices and strategies as well as recommendations to improve the security and integrity of your devices, data, and supply chain. Feel free to reach out!

Building Success,
One Project at a Time.
Today is the day we can build something together, expanding and collaborating to create something new.
Start Now