Two studies, one from HP, and one from DNS and security vendor OpenDNS, took a look at the dangers IoT devices pose, and both concluded the same thing: They\u2019re real, they\u2019re here, and they\u2019re more widespread than you might imagine. Following are summaries of each study.Internet of Things in the Enterprise 2015OpenDNS is a DNS provider that routes more than 70 billion Internet requests daily from approximately 50 million consumer and enterprise users in more than 160 countries. For its report on IoT dangers, OpenDNS sampled statistically relevant data on the 15th day of February, March, and April in 2015.The company found an astonishing number of security holes in enterprises, including highly regulated ones such as healthcare, education, energy infrastructure, manufacturing, government, financial services, and others.It warned of three major security issues with IoT: \u201c(1) IoT devices introduce new avenues for potential remote exploitation of enterprise networks; (2) the infrastructure used to enable IoT devices is beyond both the user and IT\u2019s control; (3) and IT\u2019s often casual approach to IoT device management can leave devices unmonitored and unpatched.\u201dInfrastructures that host IoT data are susceptible to well-known vulnerabilities including FREAK and , it warns. And Western Digital cloud-enabled hard drives, which it found are common in enterprises, \u201care actively transferring data to insecure cloud servers.\u201dA serious issue is that IoT devices frequently beacon out, that is, use the Internet to contact networks outside of enterprises, and enterprises aren\u2019t aware of it. The report notes that smart TVs, frequently used in conference rooms, constantly beacon out, and \u201cmay be may be communicating with legacy infrastructure that uses an untrusted security certificate, opening this avenue of communication to several well-known attacks.\u201dNest thermostats also beacon out, the study found, as does the Dropcam line of cameras. The report says that this beaconing isn\u2019t inherently malicious, but adds that \u201c[a]ttackers can potentially monitor these devices for network activity and discover usage patterns about its owner. This type of beaconing also presents an additional attack surface for criminals to target if a device-specific exploit is discovered.\u201dBased on a survey that OpenDNS did of 500 IT professionals, many enterprises seem to be at risk. The survey found that 23% of those surveyed didn\u2019t have controls in place to stop unauthorized devices from connecting to their enterprise network.Internet of Things Research Study 2014HP's study looked at ten popular devices in common IoT niches such as TVs, webcams, thermostats, and more, and analyzed their behavior for security problems. The results: There are plenty of dangers.The report found \u201can alarmingly high average number of vulnerabilities per device. Vulnerabilities ranged from Heartbleed to denial of service to weak passwords to cross-site scripting.\u201d Most devices include connections to cloud services, which increase security risks because of the way data is transmitted between the devices and the cloud. All of them included mobile apps that could control the devices remotely -- another attack vector.Other findings include:Seventy percent of the devices didn\u2019t encrypt communications between the devices and the Internet or local network, and yet almost all of the devices collect personal information.Sixty percent of the devices had insecure Web interfaces such as persistent cross-site scripting, poor session management, and weak default credentials.Sixty percent of the devices had insecure software and firmware because they didn\u2019t use encryption when downloading software updates. This could allow hackers to intercept updates and inject attacks into them.Eighty percent of the devices had password problems --- they don\u2019t require passwords of sufficient complexity and length. Most allowed simple passwords such as \u201c1234\u201d or \u201c123456.\u201d The weak passwords were typically allowed on the devices themselves as well as on the associated cloud services and mobile apps.