COMMENTARY: Internet-of-Things (IoT) devices face the most danger not when they are hacked, but the day they are first powered on.Each year, millions of people plug in smart speakers, cameras, hubs and appliances, many of them in business settings. These devices are marketed as convenient, intuitive and ready-to-use out of the box. What’s far less visible are the security risks they bring with them.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]In our research, we have found, they are rarely monitored, infrequently updated, and often trusted by default. This results not in a single spike in exposure, but the normalization of accepted or unknown risk by users driven by systemic weaknesses in the products themselves.Once installed, a vulnerable device can persist inside a home network for years, quietly expanding the digital footprint of the network. A single insecure hub or appliance may connect to home Wi-Fi, mobile apps, cloud accounts, location data, and other smart devices associated with a business account. For attackers, that kind of connectivity creates an ideal foothold.These do not guarantee a device will never gets compromised, but they offer predictability, accountability, and ownership by the manufacturer.Flooding a network with inexpensive, unknown devices from online marketplaces may feel convenient, but each one expands the digital footprint of the environment. Choosing fewer devices from vendors that are open about security helps limit unnecessary exposure before a product ever gets plugged in.Waiting for manufacturers to improve security practices, especially after purchase, does not represent a viable near-term strategy. However, meaningful risk reduction does not require advanced security products. These six simple steps can help contain and reduce many IoT risks:
At the same time, the industry must put more pressure on the manufacturers to focus on basic security. Transparent, enforceable security lifecycles should become baseline expectations, not wishlist items.These devices may look harmless at first glance. Whether they remain that way depends on how quickly we stop treating their risk as temporary. It’s time to commit to IoT device safety as an ongoing responsibility, not a seasonal concern.Ben Lincoln, managing principal, Bishop FoxSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
A lifecycle failure hiding in plain sight
When security issues involving connected devices make headlines, they are often framed as the work of sophisticated attackers exploiting advanced techniques. In reality, many of the most common IoT vulnerabilities stem from foundational security failures baked into mass-market products.We continue to uncover weak authorization controls, unauthenticated APIs, insecure data transmission, and fragile session handling in devices designed for widespread consumer use. These are not edge-case flaws. They point to a broader market failure: the absence of standardized and observable security commitments from manufacturers.Too many products are shipped without clear vulnerability disclosure processes, defined patch timelines, and any verifiable plan for long-term support. Once the device gets installed, security becomes an afterthought rather than an obligation.It's not an inevitable gap, though. Some manufacturers have shown that it’s possible to treat security as a sustained responsibility rather than a one-time design consideration. The difference revolves around structure: security gets embedded into how products are supported, communicated, and maintained over time.What doing it right actually looks like
In practice, manufacturers that take this responsibility seriously make their security posture visible. They clearly explain how they report vulnerabilities, how updates are handled, and how long customers can expect them to support the devices. These commitments are not hidden behind support tickets or legal language. They are easy to find and easy to understand.This distinction matters for users, especially when buying devices for themselves. Before adding another connected device to network, it’s worth spending a few minutes looking at how a company talks about security.We’ve seen this firsthand in our own research and disclosure work. In cases involving products like Traeger and YoLink, the difference was not the absence of findings.Vulnerabilities still existed, but what stood out was the presence of a process: a clear way to report issues, an identifiable response path, and a willingness to engage on remediation rather than deflect responsibility. That posture changes the risk equation. It turns security from an after-the-fact problem into an operational discipline.Other consumer IoT companies have made similar commitments transparent by design. Vendors such as Wyze, Google, Garmin, and Owlet publicly document their security and trust programs, vulnerability disclosure policies, and expectations for researchers. These resources are easy to find, written in plain language, and treated as living references rather than legal fine print.In practice, this looks like:- A visible security page on the company’s website: This page should outline the vendor’s security policy: how they handle vulnerabilities, how customers or researchers can report issues, and what their commitments are around updates and patching.
- A vulnerability disclosure or bug bounty program: Reputable vendors make it easy for security researchers to responsibly report issues.
- A clear update and support lifecycle: The manufacturer should state how long the device will receive security patches.
- Run updates immediately. Many IoT devices ship with outdated firmware that includes known vulnerabilities. Manually updating firmware immediately after installation closes these gaps before the device becomes part of daily use.
- Change a device’s default settings. Many smart devices are set up as open and connected as possible to make setup easy. If the setup process includes a default password or login, changing it helps ensure the device isn’t relying on settings shared across thousands of networks.
- Place smart devices on a guest or secondary wireless network. This creates a simple boundary that protects phones, laptops and work systems from unnecessary risk. While not perfect, this separation limits how far an attacker can move if a device is compromised.
- Turn off unnecessary features. If a device offers remote access, voice control, or sharing options that the organization never plans to use, disabling them reduces the device’s exposure.
- Disable automatic port-forwarding features on the router. Many home/small business routers ship with features like Universal Plug-and-Play (UPnP), NAT Port Mapping Protocol (NAT-PMP), or Port Control Protocol (PCP) enabled by default. They let devices automatically request that the router expose them directly to the internet. While convenient in limited scenarios, most modern IoT devices do not require this functionality to work remotely through their companion apps. If left enabled, a device such as a camera or hub could quietly create an internet-facing opening without the user ever reviewing a port-forwarding rule. Unless users intentionally rely on these features, disabling them reduces the chance that a device can make itself globally accessible.
- When a smart device no longer gets used, reset it before disposal or resale. This helps ensure it does not remain quietly connected to personal or business accounts. In the near term, focus on practical control. Network segmentation, early updates and informed purchasing decisions offer meaningful protection against devices that are already in use. These measures acknowledge reality rather than waiting for it to improve.
