Your IoT Devices Are Calling Home. Do You Know Who’s Listening?

When congressional investigators took a closer look at Chinese-manufactured port cranes operating at U.S. ports, they found something that should make every technology decision-maker uncomfortable. The cranes had been delivered with cellular modems pre-installed. These modems weren’t part of any contract. They had no documented operational purpose. And nobody on the purchasing side knew they were there.

The discovery made headlines, and for good reason. But the port cranes are just the most dramatic example of something that's happening quietly across every industry. Connected devices of all kinds, from industrial sensors to security cameras to building management systems, are designed to maintain persistent communication channels back to their manufacturers. In most cases, the intent isn't malicious.

Manufacturers use these channels to beta-test data, validate performance, and ensure the device is doing what it's supposed to do. But intent doesn't change the outcome. Those channels still exist on your network, they're still accessible, and they still create an opening that the wrong person can walk through. They ship that way. They're deployed that way. And in most cases, nobody ever questions it.

"Phone Home" Is a Feature, Not a Bug

If you're evaluating or deploying IoT in your organization, here's what probably isn't showing up in your vendor conversations. Most connected devices are engineered to maintain an open line back to the manufacturer, and that connection does real work. A building management sensor might ping a cloud server every few minutes to transmit performance telemetry. A security camera could be pulling firmware updates from a repository hosted overseas. An industrial controller might grant the manufacturer remote write access so they can push patches or troubleshoot without dispatching a technician. We like these sorts of things, and at this point, we need them.

All of that sounds reasonable on paper. But think about what each of those functions actually requires. Outbound data transmission to servers you don't control. Remote access to devices sitting inside your network. Update mechanisms that can modify how the device behaves without your involvement. These aren't theoretical capabilities. They're active pathways, built into the device at the factory, running on your network right now. And in most environments, nobody is watching what flows through them because they’ve never needed to.

The Blind Spot You Can't Afford to Ignore

When those pathways go unmonitored, the consequences aren't abstract. A foreign government with influence over a device manufacturer doesn't need to hack your network. They already have a communication channel in it. During a period of geopolitical tension, that access could be used to quietly exfiltrate data, conduct surveillance on facility operations, or map out the internal architecture of a network for future disruption.

And it doesn't take a nation-state scenario to make this dangerous, though espionage-motivated breaches in manufacturing surged nearly sixfold in 2025, jumping to 20% from just 3% the prior year. Manufacturers are also being breached and have remained the most targeted industry for the fifth consecutive year, accounting for 27.7% of incidents in 2025. If an attacker compromises a manufacturer's update infrastructure, every device calling home to that server becomes a potential entry point. One compromised update pushed across thousands of deployed devices is a supply chain attack at scale, and the organizations running those devices may never know it happened until the damage is done.

For sectors where downtime carries physical consequences, like healthcare, energy, and manufacturing, even a brief disruption triggered through one of these channels can cascade fast. Systems go offline, operations stall, and recovery timelines stretch because nobody planned for a threat that was already inside the building.

It's Time to Treat IoT Procurement as a Security Decision

IoT procurement still lives in a different world than security in most organizations. Connected devices are evaluated by facilities teams, operations managers, or project leads who focus on cost, capability, and compatibility. Security review, if it happens at all, tends to stop at whether the device supports encryption or requires a password to access.

Not enough people are asking where the firmware update server is hosted, taking the time to review what telemetry the device transmits or where that data lands, or mapping the communication pathways built into the product before it gets plugged into the network. And by the time the security team gets visibility, the devices are already deployed, and the channels are already live.

We've spent years building rigor around software supply chain security. We vet open-source libraries, audit code dependencies, and track every component in a software bill of materials. But when it comes to connected hardware, most organizations are still operating on trust. The manufacturer's country of origin, their data handling practices, the access they retain after the sale, all of it gets treated as someone else's problem. That gap is exactly what makes this risk so persistent.

Unplugging the Phone

What’s great is that this isn’t an unsolvable problem. But it does require some intentional effort and a shift in how you think about the risk of connected devices. Here are the steps I’d recommend for any organization deploying IoT at scale.

1. Segment and Monitor: IoT devices should live on dedicated network segments, isolated from your core business systems. More importantly, you need to actively monitor outbound traffic from those segments. If a security camera is sending data to an unfamiliar IP range overseas, you want to know about it before someone else benefits from it.
2. Scrutinize Before You Deploy: Before any connected device touches your network, evaluate the manufacturer’s country of origin and review the firmware update mechanisms. Ask vendors directly about built-in communication pathways and demand transparency. If a manufacturer can’t or won’t tell you what their device is communicating and where, that tells you something important.
3. Audit Your Firmware: Conduct regular firmware reviews to identify undocumented features or communication channels. Disable any remote access capabilities that aren’t strictly necessary, and enforce tight access controls on the ones that remain.
4. Know What You Have: Maintain a living inventory of every connected device on your network, including what it’s communicating with, how often, and over what protocols. This sounds basic, but most organizations don’t have this picture, and you cannot manage risk on assets you don’t know exist.

The Payoff Is Visibility and Resilience

Organizations that take these steps gain something that’s surprisingly rare in enterprise security right now. They gain a clear and honest picture of what their connected devices are actually doing. That visibility translates directly into a smaller attack surface, because you’re identifying and controlling access pathways that traditional security tools miss entirely.

It also builds operational resilience, and when your network is properly segmented and your containment strategies are tested, a compromise on one device doesn’t cascade across the enterprise. And perhaps most importantly, it shifts your security posture from reactive to proactive. You’re making informed decisions about risk instead of discovering blind spots after an incident forces your hand.

The IoT devices on your network are talking to someone. The only question is whether you know who’s on the other end of the conversation.