IoT device security is one of the weakest links in corporate networks because most devices are shipped with default credentials, run firmware that never gets patched, and sit on the same flat network as core business systems — so a single compromised smart device (an IP camera, a smart plug, an access-control panel, an industrial sensor) can become the attacker's entry point into finance systems, customer data, or production infrastructure. For Indian businesses, this risk is rising fast: smart offices, CCTV networks, biometric access control, and industrial IoT (IIoT) sensors are being deployed at record pace, often by facilities or operations teams with no security review at all. This article covers why IoT is a corporate blind spot, the most common IoT vulnerability categories, the real-world risk to Indian businesses specifically, and a practical checklist to lock it down.
Why IoT Devices Are a Blind Spot in Corporate Networks
Traditional IT security assumes an asset inventory: someone knows every laptop, server, and application on the network, and each gets patched on a schedule. IoT breaks that assumption completely. A smart office deployment — IP cameras, smart TVs and video conferencing units, badge readers, HVAC controllers, smart plugs, printers, Wi-Fi-enabled UPS units — is usually procured and installed by facilities, admin, or a vendor's technician, not by IT or security. Nobody adds it to the asset register, nobody assigns it a patch owner, and nobody puts it behind a firewall rule that limits what it can talk to.
The result is that these devices frequently sit on the exact same network segment as employee laptops, file servers, and business applications. An attacker who compromises one weak IoT device doesn't need to break into your ERP or CRM directly — they land on the network through the camera or the smart plug, then move laterally to whatever is reachable from there. For manufacturing and logistics companies, the exposure is worse: industrial IoT and OT (operational technology) sensors on the factory floor — monitoring temperature, machine health, or inventory — are increasingly bridged to the corporate IT network for remote dashboards and analytics, collapsing a boundary that used to be a real air gap.
Common IoT Vulnerability Categories
The vast majority of real-world IoT compromises trace back to a small set of recurring weaknesses, not exotic zero-days. Understanding these categories is the fastest way to prioritize what to fix first.
Default and weak credentials. IP cameras, DVR/NVR recorders, routers, and smart building controllers routinely ship with a default username and password (admin/admin, admin/12345) that installers never change. Search engines that index internet-connected devices make finding these trivial for an attacker — they don't even need to scan your network, just search for your device model.
Unpatched or unpatchable firmware. Unlike laptops and servers, IoT devices rarely have automatic update mechanisms, and many vendors stop releasing firmware patches within a couple of years of a product's release. A camera or access-control panel installed five years ago may be running firmware with publicly known vulnerabilities that will never be fixed, because the manufacturer has moved on to a newer model.
No network segmentation. IoT devices are typically plugged into the same VLAN or Wi-Fi network as everything else, with no firewall rules restricting what they can initiate connections to. A camera only needs to talk to its recording server and the internet for firmware updates — it has no legitimate reason to be able to reach the finance server, but on a flat network, it often can.
Insecure APIs and cloud back-ends. Many "smart" devices phone home to a vendor cloud service for remote access and management. Weak API authentication, exposed management ports, or unencrypted communication between the device and that cloud service creates a path for attackers who never touch the physical device at all.
No monitoring or logging. IoT devices rarely appear in SIEM dashboards or log aggregation. A compromised camera or sensor can sit on the network for months, quietly being used as a foothold, without generating an alert anyone would notice.
Physical and supply-chain exposure. Access-control panels and cameras are often physically reachable in lobbies, warehouses, or unmanned facility rooms, making tampering, credential extraction from device flash memory, or outright device swap-out realistic attack paths — particularly for industrial sites with limited physical security staffing.
How an IoT Compromise Reaches Core Business Systems
The diagram below traces a typical path: an attacker finds an internet-facing IP camera still on default credentials, uses it as a foothold on the office network, and because there is no segmentation, moves laterally until they reach systems that actually matter — file servers, finance applications, or customer data.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanThe Real Risk to Indian Businesses
IoT adoption in Indian offices and factories has moved faster than the security practices around it. Smart CCTV and video-analytics deployments are now standard even for mid-sized offices and retail chains; biometric and card-based access control is near-universal in commercial buildings; and manufacturing, logistics, and pharma companies are rolling out industrial IoT sensors for predictive maintenance and inventory tracking as part of broader digitization pushes. Very few of these deployments go through a formal security review before going live, and vendor installation teams are typically optimizing for "it works," not "it's locked down."
CERT-In has repeatedly flagged unsecured IoT and network devices — including routers, cameras, and DVR/NVR systems — in its vulnerability advisories, reflecting how common these misconfigurations are across Indian networks. For businesses under India's DPDP Act, an IoT-enabled breach that exposes customer or employee personal data carries the same regulatory obligations as a breach through any other system — the data protection law does not distinguish between "the intrusion started through a camera" and "the intrusion started through a web application." A poorly secured access-control system in particular often stores biometric data, which is especially sensitive under DPDP.
What Segmentation and Governance Actually Look Like
The single highest-leverage fix for IoT risk is network segmentation: putting IoT devices — cameras, access control, smart office equipment, IIoT sensors — on their own VLAN or subnet with firewall rules that only allow the specific, necessary traffic (e.g., a camera talking to its recording server and getting internet access for updates, nothing else). This one change means that even a fully compromised device can't be used to reach finance systems, file servers, or employee workstations, because the network itself won't route the traffic.
| Control | What It Prevents | Typical Owner |
|---|---|---|
| Change default credentials on install | Trivial remote takeover | Facilities / IT at install time |
| Dedicated IoT VLAN with firewall rules | Lateral movement to core systems | Network / IT team |
| Firmware update tracking per device | Exploitation of known, disclosed flaws | IT / vendor contract |
| Disable unused services (Telnet, UPnP, remote admin) | Unnecessary attack surface | IT at configuration time |
| Asset inventory including IoT | "Unknown" devices going unmanaged | IT / security |
| Periodic VAPT covering IoT-adjacent network segments | Undetected exposure over time | Security / external partner |
Practical IoT Device Security Checklist
- Inventory every IoT device on the network — cameras, access control, smart office equipment, industrial sensors, printers, smart TVs. If IT doesn't know it exists, it can't be secured.
- Change every default credential at install time, and use unique, strong passwords per device rather than one shared password across the fleet.
- Segment IoT onto its own VLAN or subnet, with firewall rules restricting traffic to only what the device legitimately needs.
- Disable unused services — Telnet, UPnP, unauthenticated remote admin panels — that many devices enable by default and few businesses ever use.
- Track firmware versions per device and patch on a schedule, and retire devices that are past vendor end-of-life and no longer receive security updates.
- Restrict physical access to network ports, camera wiring closets, and access-control panels, especially at unmanned facility or warehouse locations.
- Log and monitor IoT network traffic for unusual outbound connections, which are often the earliest sign of compromise.
- Include IoT-adjacent network segments in regular VAPT scope rather than scoping penetration tests to web applications alone — the office network the cameras sit on is part of your real attack surface.
Closing the Gap
Smart offices and industrial IoT deliver real operational value, but they cannot be treated as "someone else's problem" just because facilities or a vendor installed them. The businesses that get burned are almost always the ones where nobody owned the security of these devices at all — not the ones running the latest, most sophisticated attacks. Segmentation, credential hygiene, and periodic testing turn IoT from an unmanaged risk into a monitored, bounded part of the network. NIST's IoT cybersecurity guidance and OWASP's IoT security project both offer practical, vendor-neutral baselines worth reviewing when setting internal standards.
Bachao.AI, built by Dhisattva AI Pvt Ltd, runs automated VAPT scans that map exposed devices, weak network segmentation, and misconfigured services across your externally reachable infrastructure, including the network segments IoT and smart office devices sit on. If you want a current picture of where your network stands, a free VAPT scan is a fast way to start, and businesses handling employee or customer data through access control and IoT platforms should review DPDP compliance obligations in parallel. More practical breakdowns like this one are available on our blog.