IoT devices collect a surprisingly wide range of data, from obvious measurements like temperature and heart rate to less visible information like your Wi-Fi network name, device identifiers, and exact timestamps of every interaction. The specific data depends on the device, but most IoT products transmit some combination of sensor readings, location coordinates, usage patterns, and metadata about the device itself.
Environmental and Physical Sensor Data
The most straightforward category is raw sensor data. IoT sensors are built to capture real-world conditions and convert them into digital signals that get transmitted to a server or hub. Common environmental measurements include temperature, humidity, air pressure, light levels, and sound. More specialized sensors, particularly those used in smart city networks, measure specific air pollutants like nitrogen dioxide (NO2), sulfur dioxide (SO2), carbon monoxide (CO), and fine particulate matter in multiple size categories (PM1, PM2.5, and PM10).
Motion sensors detect movement or changes in position, which is how your smart security camera knows someone walked past or how an industrial sensor tracks equipment vibration. Sound sensors capture audio waves and convert them into electrical signals. These measurements are typically bundled with a timestamp and GPS coordinates before being transmitted, so the receiving system knows exactly when and where each reading was taken.
Health and Biometric Data
Wearable devices are some of the most data-rich IoT products on the market. A modern smartwatch like the Apple Watch collects blood oxygen levels, electrical heart activity (ECG), step count, and sleep patterns. The Fitbit Sense goes further, adding skin temperature, stress indicators through electrodermal activity, and respiratory data. Even basic fitness trackers record steps taken, calories burned, distance traveled, and hours of light versus deep sleep.
Medical-grade wearables capture even more granular biometric data. Chest-worn monitors can record heart rate variability and surface muscle electrical activity. Pulse oximeters on the finger track oxygen saturation, respiratory rate, and breathing patterns continuously. Sleep monitoring devices use accelerometer data and algorithms to classify each period of the night as awake or asleep, with some systems achieving 94% to 98% accuracy in detecting sleep periods.
All of this biometric data is typically transmitted to a companion app or cloud service, where it gets processed into the graphs and scores you see on your phone. The raw data itself, things like accelerometer readings sampled dozens of times per second, is far more detailed than what you see in the final dashboard.
Location and Movement Tracking
Many IoT devices pinpoint their location using more than just GPS. A technique called location fusion combines data from three sources: GPS satellites, nearby cell tower IDs, and Wi-Fi network names. When GPS signal drops out (indoors, in urban canyons, or underground), the device can estimate its position by looking up which cell towers it can reach or which Wi-Fi networks are nearby. This means your device may be scanning and recording local wireless networks even when you haven’t connected to them.
Asset trackers used in logistics and fleet management store and transmit historical routes, not just current position. These systems log a continuous trail of coordinates paired with timestamps, creating a complete movement history that can be retrieved later through cloud services. Consumer devices like fitness trackers do something similar when they record your running route, average speed, distance, and elevation changes using a built-in altimeter.
Audio Recordings and Voice Data
Smart speakers like Amazon Echo and Google Home are constantly listening for their wake word (“Alexa,” “Hey Siri,” “OK Google”), but the way they handle audio has important nuances. The wake word detection runs locally on the device using a lightweight speech recognition system limited to just a few designated words. Only after the device recognizes the wake word does it begin recording and uploading your audio to cloud servers for full processing.
Research into accidental triggers confirms that these devices transmit microphone input to the cloud only when the LED indicator is active, making the light a reliable signal that your voice is being sent to a remote server. Amazon uses a two-stage verification system: even if the local system thinks it heard the wake word, a more powerful cloud-based system double-checks. If the cloud doesn’t confirm the wake word, it tells the device to stop streaming audio.
There is at least one documented exception. Researchers found that Xiaomi’s smart speaker appeared to upload audio from “near miss” triggers (sounds close to but not matching the wake word) without activating its LED indicator. This means the device was transmitting voice data to the cloud without any visible signal to the user.
Usage Patterns and Behavioral Data
Smart appliances collect detailed behavioral data that reveals daily routines. Smart meters and connected appliances can disaggregate a household’s total electricity usage down to individual appliances, recording the start time, duration, and total energy consumption for each use. This means your smart home system may know when you run the dishwasher, how long your showers are (from the water heater), and what time you turn off the lights each night.
Smart TVs log what you watch and when. Connected thermostats learn your heating and cooling schedule. Robot vacuums map your floor plan. Individually, each data point seems minor. Together, they paint a detailed picture of household behavior, including how many people live in a home, when the house is empty, and what activities happen at what times.
Device Metadata
Beyond the “main” data a device is designed to collect, every IoT device also transmits metadata: information about the data itself and the device generating it. This includes the date and time of collection, the data format, and which specific device captured it. Every networked device also has a MAC address, a unique hardware identifier that can be used to track a specific device across networks.
Metadata also includes signal strength indicators (how strong the Wi-Fi or cellular connection is), firmware version numbers, battery levels, error logs, and network information like your router’s name and IP address. While metadata sounds abstract, it can be just as revealing as the primary data. Timestamps alone can expose your daily schedule, and geotags embedded in transmitted data packets reveal your location even when location services are turned off.
How This Data Gets Secured in Transit
IoT devices face a unique security challenge: many are too small and low-powered to run the heavy encryption that protects your laptop or phone. To address this, NIST (the U.S. National Institute of Standards and Technology) finalized a lightweight cryptography standard specifically designed for constrained devices like IoT sensors, RFID tags, and medical implants.
The standard, published as NIST Special Publication 800-232, is built on a family of algorithms called Ascon. It gives device designers tools for two core tasks: encrypting data so it can’t be read in transit, and creating a digital “fingerprint” (called a hash) that verifies the data hasn’t been tampered with. The encryption can also confirm that data is authentic, meaning it actually came from the device it claims to come from and wasn’t injected by an attacker.
Not all IoT devices implement strong encryption, though. Cheaper consumer devices, particularly those from lesser-known brands, may transmit data with minimal or no encryption. When evaluating an IoT device, checking whether the manufacturer specifies its encryption standards is one of the more practical ways to gauge how seriously they treat data security.