Common vulnerabilities found in RED and ETSI EN 303 645 evaluations

May 25, 2023

This article will cover a brief description of the most found vulnerabilities on IoT devices when performing RED and ETSI EN 303 645 assessments.

In today's era, the digital devices have become an integral part of our daily lives and are all around us, from smart homes and appliances to wearable fitness trackers and medical devices. However, this also implies an increased risk of cyber threats. These devices are connected to the internet and often collect sensitive personal information, making them vulnerable to cyber-attacks. That’s why the European Union has activated the Delegated Act of RED Directive as it is explained in our article .
Cybersecurity is crucial to protect against malicious attacks that could compromise user privacy and security. Without adequate security measures, hackers could gain access to personal data, disrupt the functionality of the device, and even take control of it remotely.
Here are the top 3 of the most common vulnerabilities that we have found when conducting an assessment:

1. Unencrypted Bluetooth communication

Bluetooth communication without encryption poses significant cybersecurity risks, particularly in the context of Internet of Things (IoT) devices. Hackers can exploit vulnerabilities in unencrypted Bluetooth connections to gain access to IoT devices and steal sensitive information. Additionally, IoT devices often lack proper security measures and are not updated as frequently as traditional devices, making them even more susceptible to attacks. It's crucial for IoT device manufacturers to prioritize Bluetooth encryption and provide regular security updates to protect users from the risks associated with this technology.

2. Insecure Network Services

The lack of encryption in services using 4G or 5G connections can also present serious security issues. Attackers can set up fake base stations to intercept communications between mobile devices and real base stations, allowing them to access user information and carry out phishing or malware injection attacks. Additionally, attackers can manipulate the signal of the fake base station to make mobile devices connect to it instead of the real base station, giving them even more control over the user's communication. Therefore, it's important for telecommunications service providers and mobile device manufacturers to implement robust security measures to protect users from fake base station attacks and other security risks associated with unencrypted 4G or 5G connections

3. Physical hardening

Leaving enabled physical debugging ports on IoT devices can be very dangerous in terms of cybersecurity. These ports, such as UART or JTAG, are designed to allow software and hardware developers to access the device for debugging and firmware development. However, if these ports are left open after development, they can be exploited by attackers to gain unauthorized access to the device and steal information or take control of the device. Additionally, debugging ports often lack passwords or authentication, making them even more vulnerable to attacks. Therefore, it's essential that IoT device manufacturers disable debugging ports after development and implement robust security measures to protect the devices from the risks associated with these ports.


It’s crucial for all digital device manufacturers to pay close attention to the Cybersecurity of their products. The lack of encryption in Bluetooth communications, the risks of fake base station attacks on unencrypted 4G or 5G connections, and the presence of enabled debugging ports after development are just some examples of vulnerabilities that can put user security at risk.
To avoid these risks, manufacturers must implement robust security measures in all aspects of their product design. It's also important for manufacturers to commit to providing regular security updates for their devices and educate users on how to keep their devices secure. Cybersecurity is not something that can be left for later; it's essential for IoT device manufacturers to take proactive steps to protect their users and maintain trust in their brands. That’s why in DEKRA our specialized labs are working every day to make a more connected and secure world. Contact now one of our Cybersecurity specialists to protect your IoT devices from these common vulnerabilities.