Vulnerability Assessment of Low-Cost IoT Devices: Towards a Virtual Hardware Security Training Environment

Consumer-grade Internet of Things (IoT) devices, such as low-end routers, IP cameras and other always-connected appliances, have become an integral part of modern life, providing everyday connectivity and digital services in homes and small businesses. However, their affordability often comes at the expense of security. Manufacturers targeting the consumer market prioritise cost and usability, resulting in devices with critical vulnerabilities that can be exploited to gain unauthorised access and steal sensitive data. Tampered devices containing Trojan horses can also be reintroduced into the market. This widespread fragility highlights systemic weaknesses in the IoT ecosystem and emphasises the need for a practical approach to understanding hardware security. At the same time, opportunities for hands-on hardware security training remain limited. Practical exercises on physical devices are rare and are often confined to expensive, hard-to-reach conferences. Furthermore, access to virtual platforms capable of realistic hardware simulation is restricted. Unlike software-focused Capture the Flag (CTF) exercises, which can be set up quickly with minimal resources, hardware-oriented education faces higher development barriers. It is difficult to provide learners with realistic device responses and interactions, not to mention reliable teaching materials that accurately reflect actual device behaviour. These limitations create a gap between the vulnerabilities present in everyday devices and the ability of professionals to study and mitigate them in a reproducible learning environment. To address the issue, the study evaluates real consumer IoT devices to identify vulnerabilities in their hardware, firmware, companion mobile apps, and network protocols. The aim is to transform the findings into educational resources by collecting as much information as possible about the devices' behaviour. Such resources are intended to provide a basis for virtual training environments in which learners can perform exercises based on these artefacts to explore the hardware security domain, examine exploitation techniques, analyse vulnerabilities and discover defensive techniques - all without the need for physical hardware. This will lower barriers and make hands-on hardware security training more accessible. The evaluation revealed several vulnerabilities, such as poor or complete lack of authentication in serial consoles, which could allow full system control upon hardware connection. Similarly, firmwares were found to be at risk due to unprotected flash memories and bootloaders lacking secure boot, which could enable tampering and supply-chain attacks. Companion app communications were sometimes unencrypted-exposing certain sensitive data such as video streams in RTP-or lacked certificate validation, leaving them susceptible to man-in-the-middle attacks.