The way to do IoT properly is to have a single server inside the firewall for all the devices to talk to, so that they're never directly accessible to the outside world. Then, if the owner wishes, he can open an access port in his firewall to that server from outside and hope that the server is not vulnerable. Having a bunch of different devices, all phoning home to different numbers, is a security nightmare but it's what we're stuck with until IoT people come up with a standard that allows someone to write a (preferably open-source) server to which they can all hook up.
I have a bunch of IP cameras but they're actively blocked from talking outside the firewall here. At the moment I only have one device that talks out and at some point I'm going to see if I can reverse-engineer the protocol and roll my own server.
Biting the hand that feeds IT
