The IOT Episode

Introduction to the Guest and Topic:

Host Allie Krings welcomes back Steven Collins as one of the podcast’s first repeat guests. Steven previously appeared to discuss physical security, which he describes as a passion covering everything from door locks to emergency preparedness. This time, the conversation focuses on IoT – the Internet of Things – and the security risks that come with the growing number of connected devices in homes and workplaces.

What is IoT?

IoT stands for Internet of Things. It refers to all the connected devices in your home or office that are not traditional workstations, laptops, or servers. This includes Ring doorbell cameras, outdoor security cameras, alarm systems, medical devices, smart speakers like Amazon Alexa and Google Home, and Apple smart home products. These are everyday “things” that get connected to the internet, often without much thought given to what they are doing in the background.

Why Should We Care About IoT Security?

Many IoT devices are always on and always listening. A smart speaker like Alexa, for example, is continuously processing audio from the surrounding environment. What most people do not realize is that this data – including sensitive conversations about medical issues, legal matters, or business information – is being stored on third-party servers, sometimes in other countries, and in some cases reviewed by human workers rather than automated systems alone.

This has real-world consequences. There have been actual court cases in which recordings captured by Alexa or data from an Apple Watch were used as evidence against individuals who had committed crimes. In a business context, confidential client discussions held in a room with a smart speaker could potentially be captured, stored, and later accessed by unauthorized parties.

What is the Policy Landscape for IoT in the Workplace?

Many organizations do not yet have a formal IoT device policy, largely because the technology is still relatively new and evolving. Employees frequently bring personal devices into the office – smart speakers, digital assistants, or other gadgets – to meet needs that standard IT tools do not address, such as playing music, placing orders, or displaying a digital photo frame at a reception desk.

Hospitals represent a more advanced case: medical device manufacturers sometimes provide doctors with trial devices that get plugged directly into hospital networks, creating unknown and unmonitored entry points. Security professionals should proactively engage employees who bring in IoT devices, asking what the device is, who approved it, what it is being used for, and whether it belongs on the network. The goal is not simply to say no, but to help employees find secure ways to meet their needs.

How Should We Evaluate IoT Devices Before Bringing Them Home or to Work?

Steven recommends approaching all IoT devices with a healthy degree of skepticism, but without letting that caution become paralyzing. The key is doing basic research before purchasing or deploying a device:

Check for authentication requirements: Does the device require a password to log in? Many lower-cost devices do not, and that is a significant red flag.

Research the manufacturer and product: Look up the device online. Are there known security vulnerabilities? Does the company publish a security statement explaining how they protect user data? A well-known, reputable product is generally a safer choice than an inexpensive, obscure one.

Understand where data is stored: If data is stored locally on the device, the risk is much lower. If it is sent to a company’s server – and potentially forwarded from there to additional servers – you may have very little visibility into or control over where your data ends up.

Consider the risk-to-benefit ratio: A smart washing machine that sends a text when a cycle is done is a low-risk convenience. A remotely controllable oven that could be hacked to run at extreme temperatures while you are away is a much higher-risk proposition. Weigh the benefit against the potential consequences.

What Are the Risks of IoT Devices in the Home?

Baby Monitors: Wi-Fi-connected baby monitors can be accessed remotely by the parents, but they can also potentially be accessed by unauthorized parties. There are documented cases of hackers connecting to internet-enabled baby monitors and using the speaker function to say disturbing things. A Bluetooth-only monitor has a much smaller attack surface than one connected to the internet.

Smart Home Calendars and Scheduling Devices: Devices like digital family calendars that display schedules and sync across phones may store your data on the manufacturer’s servers. A hacker who gains access to that data could determine when a family will be away on vacation – information that could be used to plan a burglary.

Shared and Second-Hand Devices: Passing an IoT device from one household member to another is generally acceptable as long as the device is fully reset to factory settings before being set up in the new environment, the same as with a used laptop or phone.

What About Wearable and Recording Devices?

Wearable IoT devices that record conversations – such as clip-on recording devices used by sales teams at conferences – can be very useful for capturing customer feedback and ensuring accurate follow-up. In professional settings, the best practice is to disclose to the other party that recording is taking place, as the example of the conference attendees wearing recording devices illustrates.

In healthcare settings, voice-to-text transcription tools like Dragon Naturally Speaking by Nuance are widely used to automatically convert spoken notes into patient records. Steven recommends sticking with well-established, reputable products in sensitive environments like healthcare, ensuring the tool integrates directly with existing systems rather than adding unnecessary new layers of data storage, and always verifying the security posture of any product before deploying it.

What About Children and IoT?

Children are growing up in households full of IoT devices – asking smart speakers to play music, using connected tablets, and interacting with various internet-enabled toys. Some countries, such as Australia, have moved to restrict social media access for users under 15 or 16 due to concerns about its impact on young people. Steven acknowledges that society is still working through the implications of widespread IoT adoption for all age groups, including children, and that in many respects we are all still “guinea pigs” in a large-scale experiment.

Final Thoughts and Key Takeaways:

Ask the right questions: Before bringing any IoT device into your home or workplace, ask who manufactures it, whether it is secure, and where the data it collects will be stored.

Do your research: Take 20 minutes to look up any device before purchasing it. Read the company’s security statement if one is available. Check for known vulnerabilities.

Prefer local data storage: A device that stores data locally is significantly less risky than one that sends data to external servers, where you lose control over it.

Have conversations in the workplace: Security officers and IT professionals should engage employees who bring in IoT devices – not to automatically refuse them, but to understand the need being met and find a secure solution that works for everyone.