QA in IoT: How to Ensure Reliability in a Connected World.

Imagine waking up in the morning and your coffee maker has already prepared your favorite brew because it knows what time you usually get up. Or your fridge notifies you when you're running low on milk and automatically places an order with the grocery store. This isn’t the future—it’s the present, thanks to the Internet of Things (IoT).

But more specifically, what is the Internet of Things?

The Internet of Things (IoT) is a revolutionary concept that connects everyday objects to the internet, allowing them to collect, send, and receive data, and even perform automated tasks. You might already carry some of these devices with you—like smartwatches that track your heart rate—or work with them in industrial systems optimizing factory production. IoT is transforming the very foundations of the modern world.

As mentioned, IoT involves the interconnection of devices through sensors, software, and wireless networks, and it operates based on four main stages: data acquisition, sharing, processing, and decision-making.

This enables devices to function in continuous feedback loops with minimal human intervention and, often, with support from artificial intelligence (AI)—especially with the huge advancements in Large Language Models (LLMs)—and machine learning (ML), which is a subset of AI techniques used to analyze data in real time.

A clear example is in the agri-food industry, which has already experienced revolutions with the introduction of machinery to speed up planting, harvesting, and processing. Now, thanks to sensors placed on each crop or animal, it's possible to monitor a variety of parameters to optimize virtually anything you can think of—whether it’s water use, fertilizer or nitrate levels, or fruit growth to harvest it at just the right time.

When it comes to livestock, there are many sensors (some invasive, others not) that measure things like fat percentage or perform routine tests with immediate results. And of course, all this data can be aggregated to evaluate overall performance—economically or ecologically—depending on the desired level of analysis.

Risks

Like any innovation, quality assurance faces challenges in ensuring the entire system behaves as expected and complies with relevant standards and regulations. Several key areas pose potential risks, including:

1. Interoperability

The diversity of IoT devices and the lack of universal standards make communication between devices from different manufacturers difficult. Ensuring that all components interact seamlessly is critical for system success. You've likely experienced a case where a specific device only works well with others from the same brand, despite claiming compatibility with others. These closed ecosystems often lead to errors unless you stick to one specific brand.

There are various semi-standardized tests that can help evaluate interoperability. If we know the devices under test follow something like OpenIoT, we already have a basis to build use cases. Since they typically rely on API interfaces, contract and integration testing between system components is one clear approach.

While many manufacturers aim for compatibility, unfortunately many early IoT devices lack technical manuals, and some are discontinued and unsupported. In such cases, we might have to dig through forums to find others with similar issues, or go the more fragile and unstable route of reverse engineering the devices to understand their behavior firsthand. This approach carries inherent risks and makes it harder to anticipate edge cases, so these limitations must be documented in test plans and reports.

2. Data Management

IoT generates massive volumes of data that must be efficiently processed, stored, and analyzed. As you might guess, from a quality standpoint this can be a significant headache, as QA must validate the system’s ability to handle this load without compromising performance or data integrity. Due to the aforementioned variability between vendors, many companies only start paying attention to data volume once systems are already in production, patching bottlenecks along the way.

Another interesting angle—though we'll cover it more under security—is whether data is stored on the device itself (unlikely due to limited resources) or transmitted to a proprietary server. Test cases might include checking whether the device uses SQLite (a lightweight database), whether data is encrypted, and whether encryption persists when transmitting data online. Additional data-specific scenarios: What happens when data is deleted, updated, or inserted? Can the system handle non-Latin characters like Japanese, Korean, or Chinese?

3. Scalability

A growing challenge is that as more devices connect, networks must scale with the increased traffic without degrading performance. While this might be an open question today, it’s essential to consider given the anticipated growth in IoT. This is a shared responsibility between internet providers and users. On our end, we need to run scalability scenarios to ensure optimal performance—especially since some IoT test systems may not be internet-accessible and might require VPNs or similar setups.

Scalability is a common headache in QA: you might run tests with 20 or 100 devices, but in large-scale projects, thousands or even hundreds of thousands of devices could be interconnected. Such scale is difficult to replicate in testing environments due to budget, time, or knowledge constraints. We may need to rely on documentation or contact manufacturers for information. If we’re testing a farm of 10,000 plants with 2–3 sensors each, test strategies would differ greatly compared to just 100 devices. These tests fall under integration and E2E testing.

4. Latency and Edge Computing

In today’s cloud-dominated world, having localized computing power near the user improves the experience. This is another important factor in test planning: it’s very different for a European device to connect to a server in the U.S. versus one located nearby.

5. Security

Security is one of the biggest challenges due to the inherent vulnerability of connected devices. Risks include unauthorized access, privacy breaches, and cyberattacks—such as turning devices into zombies in a botnet. If you had to prioritize only one area from all the above, this is the one. A significant portion of testing should focus on identifying vulnerabilities and ensuring strong authentication, encryption, and intrusion protection.

What types of tests can we perform here? As mentioned earlier, we could assess how data is stored on the device, whether and how it's transmitted to the internet, scan ports for accessibility (as these could be potential attack vectors). Tools like Nmap or Burp Suite are suitable for these tests, since IoT devices often run on embedded systems. We can also conduct physical vulnerability analysis (think Spectre or Meltdown CPU issues from a few years back).

And let’s not forget classic tests like authentication and authorization on the devices, checking whether software is vulnerable due to lack of updates, and regularly reviewing the OWASP Top Ten, which is a treasure trove of insights on emerging attack vectors.

Standards

The main IoT connectivity standards cover a wide range of technologies designed to meet the needs of communication, energy efficiency, range, and security in connected devices. These devices are typically low-powered, with tightly controlled energy management and focused on a specific task.

Standards can be classified into wireless protocols, wide area networks, direct communication technologies, and transport protocols.

Wireless Protocols

• Wi-Fi:
  • Wi-Fi 5 802.11ac: speeds up to 2.3 Gbps on the 5 GHz band, ideal for high-demand environments.
  • Wi-Fi 6 802.11ax: improves efficiency in densely populated environments and operates on 2.4 GHz and 5 GHz bands.
  • IEEE 802.11ah: extends connectivity range for low-energy Wi-Fi networks.
• Bluetooth:
  • Standard Bluetooth: short-range connection for data and voice transmission.
  • Bluetooth Low Energy (BLE): designed for low-power IoT applications, such as medical devices and smart home systems.
• Zigbee: based on IEEE 802.15.4, uses 2.4 GHz radio waves with low energy consumption and a mesh topology, ideal for industrial and home applications.
• Thread: network protocol designed for low-power IoT products, promoted by the Thread Group.
• NFC (Near Field Communication): short-range communication (up to 4 cm), mainly used for contactless payments and access control.

Wide Area Networks

LPWANs (Low Power Wide Area Networks) are a type of wireless network designed for long-range communications with extremely low power consumption. These networks are ideal for IoT devices that need to transmit small amounts of data intermittently over long distances, without using much battery power.

Key features of LPWAN:

• Low power consumption: devices can operate for years on a single battery. Imagine if these networks consumed a lot of energy—deploying them on a large scale would be nearly impossible.
• Long range: coverage of several kilometers in urban areas and dozens of kilometers in rural zones. (Not everything is a densely populated city with strong coverage—there are thousands of places in the world where internet access is nearly impossible.)
• Low cost: both communication modules and connectivity fees are typically inexpensive. This is crucial, as deploying and maintaining networks is complex and costly, requiring specialized staff and equipment that significantly raises the final product cost.
• Low data rate: designed for small data loads, typical in IoT sensors and devices. Assume IoT devices aren’t generating videos or images—which are among the heaviest data types for end users. These devices might generate JSON files of a few megabytes at most, or use a more optimized format.

Just to give a quick overview, here are the most widespread LPWAN technologies currently in use:

• LoRa (Long Range): private network based on LoRa modulation and the LoRaWAN protocol.
• Sigfox: low-consumption network operated by providers with global coverage.
• NB-IoT (Narrowband IoT): LPWAN technology that uses cellular (LTE) networks.
• LTE-M (LTE Cat-M1): LPWAN variant based on LTE mobile networks, with more capacity than NB-IoT.

These networks are used in applications like smart meters, asset tracking, precision agriculture, smart cities, and environmental monitoring—making them essential allies when working with IoT devices.

Mobile Protocols

As of today (2025), there is still support for 3G networks and older, although many operators in the US have already shut down these networks years ago, but some parts of the world still haven’t. These networks will gradually disappear and become extremely limited, or even vanish altogether. In contrast, the following technologies still have a long lifespan before reaching that point.

• 4G LTE, LTE Cat-M1: provide low latency and high capacity, ideal for scenarios requiring real-time updates.
• 5G: promises faster speeds and greater capacity to connect multiple devices simultaneously.

Transport Protocols

At this point, there’s little debate over HTTPS being the undisputed king, but other protocols can be ideal depending on the function the IoT device is meant to serve.

• MQTT (Message Queuing Telemetry Transport): lightweight protocol designed to transmit data between IoT devices and the internet, ideal for bandwidth-limited networks.
• CoAP (Constrained Application Protocol): similar to HTTP but optimized for resource-constrained IoT devices.
• HTTP/HTTPS: widely used protocol for data transmission between IoT devices and the internet.

These standards are essential to ensure interoperability between devices manufactured by different companies, improve energy efficiency, and secure IoT communications. Choosing the right standard depends on the specific use case, such as required range, data transmission speed, or power consumption.

Knowledge

To conduct effective testing on IoT systems, a QA professional must master technical, methodological, and security-related aspects specific to this ecosystem. Due to the nature of these systems, lack of proper care can pose serious risks and impact.

IoT systems are typically structured in several layers:

• Devices (sensors, actuators)
• Gateways (connectivity and protocol management)
• Backend platform (data processing and storage)
• Frontend applications (user interface and analytics)

What kind of tests and knowledge should QA professionals keep in mind?

• Functional: tests to validate basic operations using a Gray Box Testing approach. These tests combine white-box testing (where application code is accessible and allows calculating path coverage, total code coverage, etc.) and black-box testing (where there is no code access and the approach is purely behavioral, checking outcomes for various input scenarios).
• Security: tests that anticipate potential issues and vulnerabilities, such as penetration testing (Pentesting) or using tools like Shodan. For those unfamiliar with it, Shodan is a search engine (like Google) but focused on discovering devices connected to the Internet. It's a powerful tool, and if your device shows up there, you might have a problem. Security testing should be a top priority, as many IoT incidents result from known vulnerabilities. Test cases should replicate real-world scenarios, including network outages and man-in-the-middle attacks.
• Performance: tests to analyze latency and scalability, using load simulation tools. You can use tools like JMeter, K6, or others if the devices communicate via APIs. If standard tools don’t work for your case, you can build a simulator of the devices and conduct the tests virtually. While this approach provides an estimate, results might differ from real-world devices.
• Interoperability: tests to verify device compatibility using multi-layer test strategies.
• Privacy: tests to ensure data protection, such as encryption and anonymization testing.

There are also often overlooked areas in these kinds of products:

• Regulations: compliance with GDPR for data in the EU, FCC regulations for devices in the US.
• Edge Computing: testing local processing capabilities with latencies under 50ms.
• AI/ML: validation of predictive algorithms integrated into the devices.

As you’ve probably realized, testing and quality assurance for IoT devices is no trivial task—it requires a well-prepared team with the knowledge and tools necessary to do the job right.

And what about you—have you run into any problems with these kinds of devices or performed any of the tests mentioned here? Let me know in the comments!