Netflix’s Stranger Things is a world where the mundane can suddenly become a portal to the deadly Upside Down, a perfect metaphor for the current state of the Internet of Things (IoT).
From smart home gadgets to industrial sensors, IoT assets connect our world in staggering new ways, promising efficiency and convenience. However, much like the town of Hawkins, Indiana, these assets also harbour hidden, often ignored, vulnerabilities that can open a gate to the digital equivalent of the Upside Down.
Below are the top eleven risks that every security team should address to effectively close the gate on common IoT threats.
1. Default Passwords and Botnets
The most dangerous cyber threats often leverage simple, widespread vulnerabilities to achieve maximum impact. In the IoT world, this is the threat posed by default or weak administrative credentials. An attacker doesn’t need to be psychic; they just need to scan for devices with default passwords. Once compromised, the device is enlisted into a malicious botnet that’s ready to launch DDoS attacks or propagate malware.
2. Unknown and Unmanaged Assets
The Upside Down functions as a massive, hostile shadow environment parallel to Hawkins. Similarly, many enterprises struggle with complete asset visibility. Unknown and unmanaged IoT assets, including personal fitness trackers and forgotten sensors, dramatically expand the attack surface. Since you can’t protect what you can’t see, these assets become silent entry points into the network.
3. Poor Network Segmentation
Poor network segmentation mirrors the countless threats within the Upside Down. Many IoT and operational technology (OT) networks are flat, meaning a compromise on one low-priority smart light switch can give an attacker a clear path to mission-critical systems, such as building management systems (BMS) or core industrial controls. Isolation is key to containment.
4. Legacy Systems
The 80s setting of Stranger Things is nostalgic, but in security, nostalgia can be problematic. Many industrial and OT environments still rely on legacy devices running decades-old, unsupported operating systems. Think Windows 7 or even older embedded systems. These assets are the digital equivalent of Hawkins Lab: powerful, vital, yet riddled with fundamental, unpatched vulnerabilities that modern threats can exploit with ease.
5. Poor Physical Security
Digital security architecture is only as strong as the physical security protecting endpoints. A device often needs to be plugged in or accessed locally to be compromised. But once an attacker has physical access – via an open wiring closet, a rooftop HVAC unit or a publicly accessible sensor – they can bypass all network defences. Lack of physical security controls is a forgotten risk, turning every unprotected device into a new gateway.
6. Data Exfiltration and Privacy
IoT devices constantly expend energy by streaming sensitive data, including user habits, movements and voice commands, often without proper encryption. Unsecured data transmission and storage mean private life details are being exfiltrated to external cloud services, creating massive privacy risks and a treasure trove for threat actors.
7. Firmware Vulnerabilities
Firmware vulnerabilities are the most common initial access vector. Many low-cost IoT devices have proprietary firmware that is rarely, if ever, updated by the manufacturer. Once a flaw is discovered in the underlying code, millions of devices instantly become vulnerable, generating a packed army of entry points.
8. Insecure APIs
The Gates within the show are the primary, direct connection between the two dimensions. In the IoT world, the application programming interface (API) is the primary link between the device, the cloud and the mobile app. Insecure APIs, often suffering from weak authentication or excessive data exposure, are the most direct path for an attacker to bypass the device and go straight to the sensitive data or control system.
9. Supply Chain Attacks
An increasing risk is supply chain attacks. Security flaws, backdoors or malicious code inserted by a third-party supplier can compromise security from day one. Slopsquatting is a new evolution in supply chain attacks. This approach bypasses traditional security measures because the malware disguises itself as legitimate dependencies recommended by trusted AI tools.
10. Gaps in OT/IoT Security
The increasing convergence of IT and OT creates complex, new challenges for security teams. OT environments (e.g., industrial controls and utilities) have unique constraints. Ensuring systems remain operational is everything, and patching can’t happen on a schedule. Many IT teams struggle to secure the specific protocols and devices in the OT space, leaving a dangerous security gap.
11. Lack of Continuous Monitoring
A lack of continuous monitoring for IoT/OT environments can leave critical security gaps. These devices exhibit unique traffic patterns and behaviours. Relying on traditional IT tools to spot a device communicating with a rogue external server or attempting a configuration change is often too late. You need continuous monitoring tools capable of sensing the subtle anomalies that signal a threat.
Overall, the risks posed by IoT assets are real, complex and evolving, mirroring the ever-increasing threat levels in Stranger Things.
Implementing a security strategy centered on cyber exposure management can move your business from reactive defences to proactive risk reduction. By leveraging advanced AI and machine learning to build contextual awareness, organisations can detect and respond to threats in real time. This comprehensive approach delivers complete visibility and control, empowering enforcement of preemptive measures, such as network segmentation and continuous monitoring, with confidence.
With the right solutions, you can be the digital Eleven that closes the gate for good.
About the Author
Nadir Izrael is CTO and Co-Founder at Armis. Armis, the cyber exposure management & security company, protects the entire attack surface and manages an organization’s cyber risk exposure in real time. In a rapidly evolving, perimeter-less world, Armis ensures that organizations continuously see, protect and manage all critical assets – from the ground to the cloud. Armis secures Fortune 100, 200 and 500 companies as well as national governments, state and local entities to help keep critical infrastructure, economies and society stay safe and secure 24/7.
