Why 98% of IoT Traffic Remains Unencrypted — A Call for Immediate Action

According to Palo Alto Networks’ 2020 Unit 42 Threat Report, a staggering 98 % of IoT traffic travels without encryption. Mike Nelson, VP of IoT Security at DigiCert, said he was stunned by the figure.

A Z‑Scaler report from last year echoed this trend, noting that 91 % of IoT traffic was unencrypted.

Unencrypted traffic means attackers can perform Man‑in‑The‑Middle (MiTM) attacks, intercepting or altering data between devices and networks.

Manufacturers often rush devices to market, overlooking fundamental security in design. Enterprises then deploy these vulnerable devices into otherwise secure networks. Attackers can discover exposed endpoints via tools like Shodan, gaining a foothold.

IoT is expanding rapidly. McKinsey projects 43 billion connected devices by 2023. If the current 98 % unencrypted trend persists, cybercriminals will have a massive buffet of data to exploit.

People often picture whimsical hacks—dolls or doorbells—but the real danger lies in large enterprise deployments. A single exposed device can become a gateway into sensitive networks.

In 2017, a Las Vegas casino fell victim to a fish‑tank‑based breach. An IoT sensor linked to the tank sent data to a remote server in Finland. Investigations revealed that hackers had used the tank to exfiltrate 10 GB of the casino’s high‑roller database.

The incident highlighted three critical issues: (1) data stored by the casino was unencrypted, allowing attackers to capture it easily; (2) inadequate access controls let attackers move from the IoT device to highly sensitive data; (3) the fish‑tank sensor was integrated into the casino’s broader network, providing a direct path to critical information.

Such breaches can range from financial losses and customer data exposure to attacks on critical infrastructure, potentially causing power grid outages, internet blackouts, and nationwide health system shutdowns.

Achieving 100% Encryption

All confidential data—whether at rest or in transit—must be encrypted. Even a single unencrypted data stream is a vulnerability that attackers can exploit.

Encrypting mobile, constantly moving data across hubs, gateways, and the cloud is complex, but essential for protecting enterprise IoT networks that rely on numerous endpoints exchanging data.

Public Key Infrastructure (PKI) with digital certificates offers a scalable solution, enabling mutual authentication and end‑to‑end encryption across large IoT deployments. Leading enterprises are adopting PKI to secure their networks.

While progress is underway, the industry must accelerate. Manufacturers need to embed encryption, authentication, and integrity into their products from the outset. Incremental fixes are insufficient.

Enterprise‑scale encryption is the future of IoT security. As leading manufacturers implement PKI, the rest of the industry should follow—and do so promptly.

The author is Mike Nelson, VP of IoT Security at DigiCert.

About the author

Mike Nelson is the VP of IoT Security at DigiCert, a provider in digital security. In this role, Mike oversees the company’s strategic market development for the various critical infrastructure industries securing highly sensitive networks and Internet of Things (IoT) devices, including healthcare, transportation, industrial operations, and smart grid and smart city implementations.

Mike frequently consults with organisations, contributes to media reports, participates in industry standards bodies, and speaks at industry conferences about how technology can be used to improve cyber security for critical systems and the people who rely upon them.

Mike has spent his career in healthcare IT including time at the US Department of Health and Human Services, GE Healthcare, and Leavitt Partners – a boutique healthcare consulting firm. Mike’s passion for the industry stems from his personal experience as a type 1 diabetic and his use of connected technology in his treatment.