[Avg. reading time: 7 minutes]
Application Layer
Insecure APIs
💥 Problem: APIs in IoT apps often expose device functionality or data but may lack proper authentication, rate limiting, or encryption.
🧪 Real-World Use Case: In 2017, hackers exploited Teddy Bear smart toys (CloudPets) via insecure APIs, exposing voice recordings of children because the API lacked auth and proper access control.
🛡️ Mitigation:
- Enforce authentication (OAuth2, mutual TLS)
- Implement rate limiting and throttling
- Validate user authorization per endpoint
- Avoid exposing internal APIs to public networks
Poor Session Management
💥 Problem: Sessions may never expire, be predictable, or lack protection (e.g., no secure flags or TLS), making them prone to hijacking.
🧪 Real-World Use Case: An IoT thermostat mobile app reused the same session token across devices. Attackers could replay the token and control home devices remotely.
🛡️ Mitigation:
- Use short-lived session tokens with refresh tokens
- Store tokens securely (e.g., not in localStorage)
- Invalidate tokens on logout or when re-authenticating
- Use secure, HTTP-only cookies with CSRF protection
Weak Input Validation (XSS, Injection)
💥 Problem: IoT devices or dashboards often allow user-defined configurations or display dynamic content — which becomes a vector for injection attacks if not sanitized.
🧪 Real-World Use Case: An attacker injected a script via an IoT smart fridge’s web UI that auto-ran on the admin dashboard, exploiting stored XSS to steal session cookies.
🛡️ Mitigation:
- Sanitize all inputs on both client and server
- Use parameterized queries for DB operations
- Escape output in HTML/JS contexts
- Validate inputs against a strict schema (e.g., using Cerberus, pydantic)
No Rate Limiting or Abuse Detection
💥 Problem: APIs or device endpoints without rate limits can be brute-forced (e.g., password guessing, replay attacks), or abused in DDoS campaigns.
🧪 Real-World Use Case: The Mirai botnet used insecure, rate-unrestricted login endpoints on IoT devices to build a massive army of bots for DDoS attacks.
🛡️ Mitigation:
- Apply rate limiting per IP and user
- Implement CAPTCHA or challenge-responses
- Track abnormal patterns via API analytics
- Use device fingerprinting or reputation services