IoT security: old devices risk

A new Japanese security label is turning an old problem into a visible one: companies still run internet-connected devices that may be too old to patch safely. (meti.go.jp) Japan’s JC-STAR program began accepting STAR-1 applications on March 25, 2025, and it is designed to rate and display the security posture of Internet of Things products with a common label. The scheme covers network-connected hardware broadly, including wireless routers, access points, smart switches and network-attached storage. (ipa.go.jp) Buffalo says the label is meant to give buyers a common yardstick, with a star-based mark and a two-dimensional barcode that links to product details, security information and contact data. Buffalo’s explainer says the program started operating in March 2025 under Japan’s Ministry of Economy, Trade and Industry and is run by the Information-technology Promotion Agency. (buffalo.jp) Internet of Things devices are ordinary equipment with network connections, from cameras and access points to factory sensors and storage boxes. The security problem is basic: once a vendor stops shipping updates, the device can stay online for years while known flaws pile up. (cisa.gov) JC-STAR’s first tier, STAR-1, is a baseline level for common threats across all Internet of Things products. Higher tiers, STAR-2 through STAR-4, are intended for product-specific requirements, with the upper levels aimed at more demanding uses such as government and critical systems. (ipa.go.jp) Buffalo’s materials tie the label to concrete controls: unique or changed default passwords, limits on repeated login attempts, encrypted stored settings, automatic firmware updates for important fixes, and support-period security updates. Those are the kinds of checks that matter most when buyers are comparing older wireless and edge devices that still look functional. (buffalo.jp) The same lifecycle issue is now showing up in government policy outside Japan. In February 2026, the U.S. Cybersecurity and Infrastructure Security Agency ordered federal civilian agencies to inventory edge devices, update supported systems and remove end-of-support devices from networks, saying unsupported devices “pose a serious risk to federal systems.” (cisa.gov) That warning lands especially hard in industrial networks. CISA says industrial control system operators add risk when they connect operational technology to business networks and Internet of Things devices, because the connection expands the attack surface and can increase exposure to commodity malware and ransomware. (cisa.gov) Older operational technology is common in factories and utilities because replacement cycles are long and downtime is expensive. CISA’s control-system guidance says many traditional industrial assets were built decades ago for availability and safety, not for modern patching and authentication demands. (cisa.gov) JC-STAR does not remove those old devices from networks by itself. It gives procurement teams a visible label, a checklist and a support signal at the point when they decide whether to keep a device, segment it, or replace it before it becomes the weakest link. (ipa.go.jp)