# LWM2M **slug:** `lwm2m` · **URL:** `/knowledge/glossary/lwm2m/` · **category:** IoT Protocols · **reviewer:** Tatiana ### Definition LWM2M (Lightweight Machine-to-Machine) is a device-management protocol standardized by the Open Mobile Alliance (OMA) for IoT device management over constrained networks. It runs on top of [CoAP](/knowledge/glossary/coap/) and provides a structured object model for device monitoring, firmware-over-the-air updates, and configuration management. ### What it means LWM2M is widely deployed in cellular IoT (NB-IoT, LTE-M) for device fleet management at scale. It defines a standard object model — device, connectivity, firmware update, location, access control — and a registration / bootstrap workflow that lets a server discover and manage previously-unknown devices. Security in LWM2M depends on the version and binding. LWM2M over CoAP uses DTLS with pre-shared keys, raw public keys, or X.509 certificates. LWM2M 1.2 adds OSCORE (Object Security for Constrained RESTful Environments) as an application-layer security option. The most common security failures we see in LWM2M deployments are insecure bootstrap (devices accepting arbitrary bootstrap server URLs), weak PSK provisioning (factory-shared keys instead of per-device keys), and access-control object misconfiguration (devices granting write access to unauthenticated peers). For offensive-security assessment, LWM2M testing covers: bootstrap-flow security, DTLS / OSCORE security review, object-model access-control enumeration, firmware-update workflow integrity (signature verification, rollback protection), and observation-notification abuse. ### Related terms - [CoAP](/knowledge/glossary/coap/) - [MQTT](/knowledge/glossary/mqtt/) ### Authoritative sources - [OMA LWM2M 1.2 specification](https://www.openmobilealliance.org/release/LightweightM2M/V1_2-20201110-A/) - [RFC 8613 (OSCORE)](https://datatracker.ietf.org/doc/html/rfc8613) ---