IoT devices: are they secure?

From smart watches to smart TVs and even smart kettles, connected devices have become a core part of our daily lives. The internet of things (IoT) is at the forefront of a revolution. Artificial intelligence (AI), along with novel communication and sensing technologies, is introducing new capabilities, such as real-time monitoring, adaptability, personalisation and remote control.

 

Devices able to sense their surrounding environments are becoming much more prominent. These devices are able to record audio and images, communicate and then use this data to make decisions, or even take action. All of this happens quickly, easily and automatically.

 

But what happens if the information these devices use or communicate is not reliable or accurate? IoT devices offer great opportunities but open the door to new challenges and vulnerabilities. Can these technologies be reliably trusted in safety-critical applications? These implications are especially important in two key sectors.

 

Energy systems and infrastructure

 

The McKinsey Global Institute has estimated the economic impact of IoT for energy and power systems in 2025 to be in the range of $200 billion to $500 billion. The sector is working to transform existing electric and other energy systems into intelligent, cyber-enabled networks that are efficient, resilient and sustainable. IoT plays a role here by enabling dynamic energy management – maximising revenue generation, minimising energy costs and reducing carbon emissions. It empowers energy systems with situational awareness, monitoring and distributed control of renewable sources.

 

For example, smart meters and EV smart chargers allow users to make better-informed decisions about when to use certain appliances or buy electricity, thereby reducing costs. These devices also help operators and energy providers plan and optimise grid control by reducing uncertainty in demand and renewable generation. This is fundamental in achieving Net Zero targets.

 

Smart meters, flexible demand, vehicle-to-grid technologies and smart buildings all rely on access to large volumes of data. This has become possible thanks to advances in sensing and communication technologies. But what happens if an attacker compromises or alters that data?

 

Threat actors could cause physical damage through cyber-physical attacks. For example, they might tamper with sensors or meter readings to benefit or disadvantage certain operators or consumers. More dangerously, attackers could take control of many devices simultaneously, potentially destabilising the grid and causing widespread blackouts.

 

Unfortunately, this is not just a remote possibility. Industry leaders have warned that the energy sector has become a primary target for cyber-attacks. There has also been a shift towards using cyber-attacks to cause physical consequences, indicating that increased reliance on IoT poses a serious risk to the UK’s broader infrastructure.

Incidents such as the disruption of power distribution in Ukraine in 2015 and 2016 have shown this. The number of reported attacks in recent years is continuing to increase, especially in the building automation and energy sectors, some resulting in injuries or loss of life.

 

IoT for healthcare applications

 

The healthcare sector is also being transformed by the internet of medical things (IoMT) and wearable devices, offering real-time monitoring, remote access to patient data, personalisation and improved management of chronic conditions.

 

Examples include continuous glucose monitoring (CGM) systems and devices to monitor blood pressure or heart rate. These allow for continuous tracking of vital signs and can inform treatment decisions and interventions. However, as these devices become more widespread, security concerns are growing. A study at UCL highlights the vulnerabilities of Bluetooth Low Energy (BLE)-enabled medical devices – an area that has received little attention to date.

 

Many devices tested had minimal or no security defences, leaving them vulnerable to relatively simple attacks. These include “man-in-the-middle” (MITM) attacks, where data is intercepted and altered, eavesdropping to capture sensitive data, and denial of service (DoS) attacks that disable devices.

 

Such attacks pose serious risks. They could create false medical alerts, ignore real warning signs or leak sensitive data for illicit use. In extreme cases, hackers could take control of a device and manipulate vital signals.

 

For instance, in a CGM system connected to an insulin pump for type 1 diabetes patients, a hacker could alter glucose readings, causing the pump to deliver incorrect insulin doses. This could result in severe health consequences such as hypoglycaemia or hyperglycaemia. These risks are not hypothetical – they are a very real concern in the current landscape of cyber-security and medical wearables. Many devices prioritise ease of use over security.

 

These vulnerabilities are not just technical flaws. They pose serious risks to critical services and patient health.

 

How to defend systems

 

It is clear from these examples that IoT security vulnerabilities go far beyond privacy concerns. They represent fundamental challenges to the safety and reliability of the systems in which these devices operate.

 

It is vital to establish new strategies to ensure future systems are resilient. A holistic approach is needed, one that considers every element of an IoT system – from design through to deployment and operation.

 

Cyber-security is no longer just a concern for computer scientists. Engineers and domain experts now play a vital role. As everything becomes interconnected, we need a systems-level perspective on security, safety and resilience.

---