IoT Protocols
LWM2M
LWM2M (Lightweight Machine-to-Machine) is a device-management protocol standardized by the Open Mobile Alliance (OMA) for IoT device management over constrained networks. It runs on top of [CoAP](/knowledge/glossary/coap/) and provides a structured object model for device monitoring, firmware-over-the-air updates, and configuration management.
Definition
LWM2M (Lightweight Machine-to-Machine) is a device-management protocol standardized by the Open Mobile Alliance (OMA) for IoT device management over constrained networks. It runs on top of CoAP and provides a structured object model for device monitoring, firmware-over-the-air updates, and configuration management.
What it means
LWM2M is widely deployed in cellular IoT (NB-IoT, LTE-M) for device fleet management at scale. It defines a standard object model — device, connectivity, firmware update, location, access control — and a registration / bootstrap workflow that lets a server discover and manage previously-unknown devices.
Security in LWM2M depends on the version and binding. LWM2M over CoAP uses DTLS with pre-shared keys, raw public keys, or X.509 certificates. LWM2M 1.2 adds OSCORE (Object Security for Constrained RESTful Environments) as an application-layer security option. The most common security failures we see in LWM2M deployments are insecure bootstrap (devices accepting arbitrary bootstrap server URLs), weak PSK provisioning (factory-shared keys instead of per-device keys), and access-control object misconfiguration (devices granting write access to unauthenticated peers).
For offensive-security assessment, LWM2M testing covers: bootstrap-flow security, DTLS / OSCORE security review, object-model access-control enumeration, firmware-update workflow integrity (signature verification, rollback protection), and observation-notification abuse.
Related terms
Authoritative sources
- OMA LWM2M 1.2 specification - RFC 8613 (OSCORE)
---