The article highlights significant security vulnerabilities in Internet of Things (IoT) devices, which are proliferating despite lagging security awareness. Key risks include reused passwords, lack of network segmentation, poor data sanitization, and devices shipped with insecure default settings and unencrypted data storage. These flaws allow threat actors to gain unauthorized network access, steal credentials, and move laterally within home and enterprise networks. The analysis is based on research examining common devices like Amazon Echo, Apple TV, and smart appliances, showing they often store sensitive data insecurely for years.
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
Connected & Compromised: When IoT Devices Turn Into Threats
Reused passwords, a lack of network segmentation, and poor sanitization processes make the Internet of Things' attack surfaces more dangerous.
The number of Internet of Things (IoT) devices operating in homes and offices continues to balloon, but security awareness is lagging despite the considerable risks the technologies pose.
IoT security is a long-standing topic that continues to evolve as more devices come to market. Devices require Internet connectivity, yet many lack sufficient passcode and encryption features and are shipped with insecure default settings. That means much of the responsibility for protection falls on the user.
People simply listening to a song through Amazon Alexa or watching a new show on Apple TV are often unaware of the security risks, like credential theft and unauthorized network access, introduced to their home and to their lives. Those risks magnify in an enterprise environment and threat actors notice.
Over the past year, Mattia Epifani, certified instructor at SANS Institute and digital forensic expert, worked on cases involving IoT devices. That sparked his own research, which he will present during RSAC 2026 Conference in San Francisco in March.
Epifani's research focuses on the most commonly used devices, such as all Amazon devices like Echo Dot, Echo Vision, and Alexa, as well as Apple TV, Apple Watch, and Google Home. He also examined smart refrigerators, Roombas, networked cameras and smart light bulbs — whatever he stumbled across during his worldwide travels — and brought them back to his office to understand how these devices store data. The answer: Not very securely.
"With IoT devices, you cannot set a password," Epifani says. "There's no protection."
It's True: IoT Devices Are Listening
Enterprises commonly implement security measures, such as multifactor authentication, strict password policies, and encryption, to protect their computers, work phones, servers, and cloud services. All that work could go down the drain if their IoT devices are insecure and connected to the same network. One minute a Roomba is spinning around the office floor, the next an attacker abuses it to gain unauthorized access.
Risks crop up when companies add a device and use it with the same Amazon, Google, or Apple account they use for purchases. Stakes rise when the same password is used. Credential or account reuse enables lateral movement where attackers jump from one IoT device to another.
"This could be misused to get access to other systems," Epifani says. “I've seen cases of companies being compromised through their IoT components."
Threat actors could access zip files containing all the information and audio of users interacting with all of their devices, and it's stored for years, Epifani says. Surveillance cameras also represent a big threat to enterprises, he adds. Threat actors abuse cameras to gain network access because the technologies are older and less protected compared with the rest of the network.
"That is dangerous for companies," he emphasizes.
Discarding IoT devices haphazardly poses another danger. Data is unencrypted when at rest, so if someone resells an Amazon Echo on eBay or throws it away, there's a good chance the data is recoverable. If a threat actor gets their hands on it, the information could be used to conduct impersonation attacks.
While Apple does encrypt data at rest, the encryption doesn't depend on a passcode, Epifani notes. If someone loses a TV, for example, they could become a target.
"If you're sharing a keychain through iCloud, all the Wi-Fi passwords are stored in the keychain of the Apple TV," he says. "I've had cases where we recovered Wi-Fi passwords from other devices, and the passcode of the phone was one of the Wi-Fi passcodes."
Reused passwords are an attacker's treasure trove — "one of the best secrets of digital forensics experts," Epifani says.
I Got 99 Problems and Encryption Is One
Smart refrigerators are another overlooked IoT risk. They are equipped with Web browsers, they store passwords, and users can install applications and control them with their cell phones. Epifani conducted part of that research at a city recycling plant littered with them.
"If you can get your hands on that, you can build part of the life of a person," he explains. "All the passwords you store, the websites you visit — they can be accessed."
On top of that, if there's no encryption — and "with IoT devices, 99% are not encrypted," Epifani says — recovering that information is easy. Unlike hacking smartphones or laptops, it's relatively inexpensive for threat actors to get data from Amazon devices, for example. Adding encryption features is costly because of the power it requires. Finding balance between price and security is an ongoing battle, but it is the direction vendors are going, Epifani adds.
"Some other things are a choice. For example, I don't know why Apple didn't add an option to set a passcode on the Apple TV," he says.
Help Is on the Way
While Epifani is not against Amazon and other IoT device offerings — his daughter loves listening to music on Alexa — his research highlights the extent of how much sensitive data they store, and how they can be used to gain unauthorized access. Once someone has access to that device, it's not only the user's musical preferences at stake.
Improving user awareness is Epifani's main goal. Devices need to store data, and it can't be all on the cloud because to operate locally, they need data stored locally. But, he warns, "The problem is that the user has no way to protect it."
Enterprises should have separate Amazon accounts for their IoT devices, and Epifani recommends using a sub-Wi-Fi network for IoT devices. That way, if threat actors compromise a device, they will be cut off from the rest of the network.
IoT security problems are peaking; Epifani believes vendors will move to something more secure. More devices are already being encrypted, but there are "millions, probably billions of IoT devices in use worldwide," he says. Unsurprisingly, that means it will take a number of years before they're replaced.
RSAC Conference
Mar 23, 2026 TO Mar 26, 2026
Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines what’s next.
Meridiano
