Why 2026 Will Be a Big Year for IoT Security!

I love IoT hacking, I've been doing it since before I knew there were career paths for it or even that it was anything more than just tinkering. For me it started with a curiosity of how devices worked, taking apart things like routers and seeing if I could make them do something other than what they were designed for. When I was in university the first embedded Linux microcomputers like the Raspberry Pi and Beagleboard were just coming out, but they were pretty expensive. Instead, you could buy a cheap router and with some "hacking" modify the firmware, compile your own custom binaries and have your own cheap embedded Linux device.

Over the years I've watched and even been part of the proliferation of IoT devices to the point where now it feels like you can get a "smart" anything from pet feeders to toilets. Up until now it's been commonly accepted that IoT security is generally lacking. For the most part the majority of device manufacturers have gotten away with offering devices with poor security.

I strongly believe 2026 is going to be the year this starts to change, and for those of us who love IoT hacking and want to make a career out of it, or even are looking for a niche to help land a job, this is great news! In this blog I'm going to go over a few reasons I think there will be a marked demand for IoT security experts and practitioners in the coming years.

In late 2024 the EU signed into law the Cyber Resilience Act (CRA). If you're not familiar with the CRA, it's a regulation that sets out mandatory security requirements for virtually all products with digital elements (hardware and/or software) which connect to a network that are being sold or marketed in the EU. This of course includes IoT devices.

The aim of the regulation is to ensure that digital products placed on the EU market are:

• Secure by design
• Resilient throughout their life-cycle
• Promptly updated when vulnerabilities are discovered

Three things that are generally not associated with IoT devices. Security is commonly an afterthought during the design process, they frequently lack mechanisms for reliable updates to remain resilient, and for many devices updates for security are slow to roll out if even done at all.

Even though the regulation was signed into law in late 2024 it has a tiered approach to allow manufacturers time to prepare and get up to standard. Here's a quick outline of the timeline:

1. December 2024: CRA officially signed into legal existence
2. June 2026: Rules for EU member states regarding the notification and appointment of conformity assessment bodies take affect.
3. September 2026: Manufacturers must begin reporting actively exploited vulnerabilities and serious security incidents.
4. December 2027: Full compliance of CRA Cybersecurity Requirements. This means all core obligations like those outlined above, including conformity assessments and the CE marking showing they have passed conformity become mandatory. Non-compliant products can no longer be sold in the EU past this date.

Fines for non-compliance can reach up to €15 million!

In order for manufacturers to get their devices compliant there is going to be a high demand for IoT pentests, security consultation and an obligation to have proper vulnerability reporting channels in place.

Even though this regulation only applies to devices in the EU, I suspect there will be something similar to the California effect, where many device manufacturers find it easier to ensure their devices conform to the strictest set of regulations.

AI seems to be all you hear about these days (whether you like it or not) and we are fully into the AI gold rush where it's being pushed into seemingly every product or device possible.

Right now this is most visible in the proliferation of chat based LLMs like ChatGPT that excel at creating text whether that be code, answering questions, or writing blog posts (I swear I'm not a robot and this is me sitting here typing this 😄).

However, there are so many applications of AI and neural networks to actually interact with and impact our physical world other than just producing text. In order for these to work they need data, both for initial training and then also as an input for them to process. IoT devices are already increasingly being used as edge devices for AI networks to collect data from the real world. This varies to everything from cameras, motion sensors, temperature sensors, eye tracking, facial recognition, microphones, traffic sensors and so much more.

In addition to collecting data, in order for AI to be able to interact with the physical world it will also need edge devices that can do something, this could be simple tasks like flipping a relay or starting a motor, or more complex like controlling a drone.

I can already hear the collective groan of the majority of readers when thinking about the reaches of AI and allowing it access to collect data on our lives and also have control over physical aspects. I hear you, and I'm not super excited about it either, however the reality is that it's already here and there will only be more and more of it moving forwards.

With the growing ability for these edge devices to have impacts not over just data but the physical world around us there is going to be an even more important requirement for the security of them. There's already examples of researchers tricking edge devices for things like facial recognition cameras or smart cars. Not only are there going to be way more devices to secure, the security of them is going to be even more important and hard to ignore!

Over the last year I've noticed an uptick in the amount of companies that are adding or increasing IoT security products or services or even startups ramping up whose sole mission is to cater to IoT security. Some noted examples include Phosphorous, Netrise, Bugprove and Praetorian.

These companies have either performed a similar market assessment to me or are just already seeing an uptick in the request for these services and as such are increasing their services offerings to match the market.

Once the big milestones of the CRA are even closer or past I think there will be even more companies offering or ramping up services and will most likely be looking to hire to expand out or build these services.

There's never been a better time to learn IoT hacking! If you want to get started I've got both a course and certification in the TCM Security Academy you can check both out below!

Here's What Others are saying about it!

Here's what students are saying about the course and certifications:

“Took your course, loved it. It was the right thing for beginners and so affordable. Ordered a webcam from Amazon after it and 3 CVEs are now on their way to me.”

"I have never been so excited nor invested in a topic.”

“Well-designed scenario that mimics the real world.”

Learn more