Still Smart, Still Insecure: Why Our IoT Devices Keep Failing Basic Security Tests

The test: Putting IoT security claims to the probe

To validate our in-house IoT security assessment tool, we tested a range of consumer devices - from smart plugs to bulbs and a media streaming device - against a battery of core security checks inspired by ETSI EN 303 645 and aligned with common penetration testing methodologies.

We looked at:

• TLS interception and certificate validation
  
• Resistance to dictionary attacks
  
• Encryption and traffic integrity
  
• Exposure of unused ports
  
• Local network protections
  
• Replay, DoS recovery, and PII exposure

TLS failures everywhere: encryption, optional apparently

The most shocking result: half of the devices failed TLS intercept tests. The Meross Plug, Wiz bulb, and Google Chromecast all accepted forged certificates, meaning that with a simple man-in-the-middle setup, their encrypted communication could be silently intercepted.

Think about that: your light bulb might be more cooperative with an attacker’s proxy than with your own router.

By contrast, Yeelight, Lepro, and LifX bulbs resisted interception, showing that strong TLS validation can be done, but apparently isn’t considered mandatory by all manufacturers.

Encryption inconsistencies: cleartext in 2025?

Despite years of standards and awareness, several devices still transmitted unencrypted data. This isn’t a legacy problem; these are devices currently sold on major online platforms. The fact that any IoT traffic today is still being sent in the clear is a sign that security-by-design remains more of a marketing label than a development principle.

Good network hygiene (mostly)

Here’s the silver lining: no device exposed unused ports, which means manufacturers are getting better at reducing their network attack surface.

Local connectivity, critical for latency and resilience, was also generally supported, although a few devices showed weak local protections, leaving them vulnerable to attacks from within the home network.

Replay attacks: When “off” means “off… again”

Replay attacks, where an attacker replays captured commands, worked on multiple devices. Imagine capturing the “unlock” or “turn off” command and playing it back later. It’s not science fiction, it’s reality for several products in our test set.

PII and DoS: The human side of security

When it comes to user data, most devices did reasonably well. But the Meross Plug again stood out, not for the right reasons, showing traces of PII exposure.

On the brighter side, all devices recovered gracefully from denial-of-service tests, showing that resilience under network stress is improving.

The bigger picture: A broken baseline

Taken together, these findings show that IoT security remains wildly inconsistent, even among well-known brands. Manufacturers are making progress on low-hanging fruit like port hardening, but encryption, replay protection, and data handling, the real backbone of trust, still lag far behind.

The problem isn’t lack of standards; ETSI EN 303 645 and the upcoming Cyber Resilience Act (CRA) already provide solid guidance. The problem is lack of enforcement and verification. Until compliance is measured, not just claimed, we’ll keep buying insecure devices under the illusion of safety.

What needs to change

• Independent, transparent testing: Tools like ours show that automated, standardised assessments can expose real weaknesses before attackers do.
  
• Mandatory disclosure and labelling: Users should know whether their smart bulb leaks data or trusts fake certificates.
  
• Collaborative validation: ISPs, researchers, and regulators need a shared testing infrastructure, not isolated lab results, to push the market forward.