TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources IOT CYBER RISK Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know. Connected and Compromised: When IoT Devices Turn Into Threats Reused passwords, a lack of network segmentation, and poor sanitization processes make the Internet of Things' attack surfaces more dangerous. Arielle Waldman,Features Writer, Dark Reading February 19, 2026 5 Min Read SOURCE: ALEKSEI GORODENKOV VIA ALAMY STOCK PHOTO The number of Internet of Things (IoT) devices operating in a home or office continues to balloon, but security awareness is lagging despite the considerable risks the technologies pose, from credential theft to network access. IoT security is a long-standing topic that evolves as an influx of devices emerges onto the landscape. Devices require internet connectivity, yet many lack sufficient passcode and encryption features and ship with insecure default settings, placing much of the responsibility on the user. People simply listening to a song on Amazon Alexa or watching a new show on their Apple TV are often unaware of the security risks to their home and their lives. Those risks magnify in an enterprise environment, and threat actors notice. Over the past year, Mattia Epifani, certified instructor at SANS Institute and digital forensic expert, worked on cases involving IoT devices. That sparked a research idea of his own, which he will present during RSAC 2026 Conference in San Francisco in March. Related:IoT Security Flounders Amid Churning Risk His research focused on the most commonly used devices, including Amazon devices (such as Echo Dot, Echo Vision, and Alexa), Apple TV, Apple Watch, and Google Home. He even examined smart fridges and Roombas. Epifani also bought networked cameras and smart light bulbs, whatever he stumbled across during his worldwide travels, and brought them back to his office to try and understand how these IoT devices store data. The answer: Not too securely. "With IoT devices, you cannot set a password," Epifani warns. "There's no protection." It's True: IoT Devices Are Listening Enterprises implement security measures like multifactor authentication, strict password policies, and encryption to protect their computers, work phones, servers, and cloud services. All that work could go down the drain if their IoT devices are insecure and connected to the same network. One minute, a Roomba is spinning around the office floor; the next, an attacker abuses it to gain unauthorized access. Risks occur when companies add a device and use it with the same Amazon, Google or Apple account they use for purchases. Stakes rise when the same password is used. Credential or account reusage enables lateral movement where attackers jump from an IoT device to other systems. "This could be misused to get access to other systems," Epifani adds. "I've seen cases of companies being compromised through their IoT components." Threat actors could access zip files containing all the information and audio of users interacting with all their devices, and these files are stored for years, reveals Epifani. Related:System Shocks? EV Smart Charging Tech Poses Cyber-Risks Surveillance cameras represent a big threat to enterprises, he adds. Threat actors abuse cameras to gain network access because the technologies are older and less protected than the rest of the network. "That is dangerous for companies," he emphasizes. Discarding IoT devices haphazardly also poses a danger. Everything is unencrypted when data is at rest, so if someone resells an Amazon Echo on eBay or throws it away, there's a good chance the data can be recovered. If a threat actor gets their hands on it, the information could be used to conduct impersonation attacks. While Apple does encrypt data at rest, the encryption doesn't depend on a passcode, he adds. If someone loses a TV, for example, they could become a target. "If you're sharing keychain through iCloud, all the Wi-Fi passwords are stored in the keychain of the Apple TV," he says. "I've had cases where we recovered Wi-Fi passwords from other devices, and the passcode of the phone was one of the Wi-Fi passcodes." Reused passwords are an attacker's treasure trove. Epifani describes password reusage as "one of the best secrets of digital forensics experts." I Got 99 Problems and Encryption is One Smart refrigerators are another overlooked IoT risk. They are equipped with web browsers, store passwords, and allow users to install applications and control them with their cell phones. Epifani conducted part of that research at a city recycling plant littered with smart fridges. "If you can get your hands on that, you can build part of the life of a person," he explains. "All the passwords you store, the websites you visit – they can be accessed." On top of that, if there's no encryption, and Epifani notes "with IoT devices, 99% are not encrypted," recovering that information is easy. Unlike hacking smartphones or laptops, it's relatively inexpensive for threat actors to get data from Amazon devices, for example. Adding encryption features is costly because of the power it requires. Finding balance between price and security is an ongoing battle, but it is the direction vendors are going, Epifani adds. "Some other things are a choice, for example, I don't know why Apple didn't add an option to set a passcode on the Apple TV," he says. Help Is on The Way While Epifani is not against Amazon or other IoT device offerings – his daughter loves listening to music on Alexa – his research highlighted the extent to which they store sensitive data and how they can be used to gain unauthorized access. Once someone has access to that device, it's not only the user's musical preferences at stake. Improving user awareness is Epifani's main concern regarding IoT security. Devices need to store data, and it can't all be in the cloud, because they need to operate locally. But he warns: "The problem is that the user has no way to protect it." Enterprises should have separate Amazon accounts for their IoT devices, and he recommends using a sub-Wi-Fi network for IoT devices. That way, if threat actors do compromise one, they will be cut off from the rest of the network. IoT security problems are peaking; Epifani believes vendors will move to a more secure approach. More devices are already being encrypted. The problem: There are "millions, probably billions of IoT devices in use worldwide." Unsurprisingly, that means it will take some years before they're replaced. RSAC Conference MAR 23, 2026 TO MAR 26, 2026 Join thousands of your peers at RSAC™ 2026 Conference in San Francisco from March 23–26. Discover new strategies, explore bold technologies, and connect with peers who share your challenges and ambitions. Don’t just attend the Conference—be part of the community that defines what’s next. SECURE YOUR SPOT About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like IOT IoT Security Flounders Amid Churning Risk by Arielle Waldman SEP 29, 2025 IOT Consumer Groups Push IoT Security Bill to Address End-of-Life Concerns by Arielle Waldman MAR 13, 2025 IOT System Shocks? EV Smart Charging Tech Poses Cyber-Risks by Rob Wright AUG 21, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Edge Picks APPLICATION SECURITY AI Agents in Browsers Light on Cybersecurity, Bypass Controls CYBER RISK Browser Extensions Pose Heightened, but Manageable, Security Risks CYBERSECURITY OPERATIONS Video Convos: Agentic AI, Apple, EV Chargers; Cybersecurity Peril Abounds ENDPOINT SECURITY Extension Poisoning Campaign Highlights Gaps in Browser Security Latest Articles in The Edge CYBER RISK A CISO's Playbook for Defending Data Assets Against AI Scraping FEB 18, 2026 CYBERSECURITY OPERATIONS How to Stay on Top of Future Threats With a Cutting-Edge SOC FEB 11, 2026 CYBERSECURITY OPERATIONS What Organizations Need to Change When Managing Printers FEB 9, 2026 СLOUD SECURITY 'Encrypt It Already' Campaign Pushes Big Tech to Prioritize E2E Encryption FEB 6, 2026 Read More The Edge Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick