Embedded vs. Bolt‑On Security in the Internet of Things: Risks and Mitigation Strategies

On the Internet, the security industry protects us by promoting and implementing security practices such as mutual authentication, encryption, secure protocols, and trust. In contrast, most Internet of Things (IoT) deployments lack comparable built‑in security architectures, a gap only formally defined by Symantec in 2014 when it distinguished between built‑in and bolt‑on security components.

With built‑in components, security is an integral part of the device; bolt‑on components add security functions after deployment. Because IoT devices interact with the physical world through human‑machine interfaces, attacks on Internet‑connected IoT devices are less stable, have lower security, are easier to execute, and can be more dangerous.

In buildings we trust smart sensors to manage critical daily tasks such as lighting, detecting air and water quality threats, and controlling heating and ventilation. From a bolt‑on perspective, adding an Internet‑capable network stack appears harmless and useful for greater connectivity.

Unfortunately, these sensors and controllers are not designed for the threats that arise when a building’s control system is connected to the Internet. Without a foundational security architecture, operating these devices online expands the attack surface and diversifies potential vulnerabilities.

Traditional Internet security remains important for IoT but is insufficient on its own. Proper authentication, authorization, billing, encryption, intrusion detection, software signing, and trust models facilitate interaction between online devices, yet extending these mechanisms to smart ovens, smart locks, connected shoes, and wearables must be done carefully because flaws can pose imminent physical threats to users.

For example, in 2017 researchers used low‑resolution networked cameras in a shopping mall to capture swipe‑pattern data for unlocking Android phones, discovering patterns that could unlock phones in more than half of test cases.

Crucially, the attack did not target high‑end smart cameras; it succeeded by aggregating enough data from many common consumer cameras. If an attacker gains access to a phone protected only by a swipe pattern, they can retrieve personal data, including IoT information from home automation, vehicle protection, and health monitoring systems.

In IoT, attacks are not merely metaphorical—they are real attacks in the physical world. They can be launched without the attacker being online, for instance by physically entering a building, triggering a maliciously placed IoT motion detector, and sniffing the wireless network to capture encrypted communications generated by the motion event.

The attacker can store this data on a mobile device, collect enough samples to build a repository of encrypted communications, and then derive cryptographic keys smaller than the original virtually infinite key space, analogous to Alan Turing’s exploitation of predictable patterns during World War II.

Inferring that a particular packet originated from a motion event at a specific time reduces well‑encrypted data structures to more readable code. Access to packet headers and structures also enables malicious attacks on other building systems such as power and heating, all because a person downloaded an app and placed it near the motion sensor for a few minutes.

A recent incident at an Austrian hotel highlighted another IoT‑enabled hack: attackers locked hotel doors for ransom by exploiting a commercial system that overly trusted network keys and lacked physical buttons or bypass methods, gaining costly access to vulnerable systems.

In this case, the fix is straightforward: disable programmable electronic lock functions and rely on default mechanical fail‑safe mechanisms. This low‑cost, low‑effort preventive measure requires engineers to adopt a security‑first mindset and move beyond legacy thinking such as “how do we make things safe when they are connected?”

IBM recently demonstrated the importance of physical factors by conducting an ethical hack of a smart office building. Using traditional hacking techniques, the company could not obtain full access to the building’s control and automation systems, but by driving by the building and connecting to its local network, they succeeded—showing that physical presence can be a decisive factor.

Rather than suppressing expansion, an embedded IoT security model shows that physical security provides the foundation for higher‑level network protection. With this foundation, more secure and broader interaction with Internet‑connected devices becomes possible.