A new IoT valve/actuator from a major HVAC equipment supplier has not only no device security. A further look at the supplier’s catalog shows additional products that communicate using common building insecure communication protocols such as BACnet and Modbus. The ability to remotely control these valves/actuators allows for unauthorized control of a building’s environmental control systems without ever touching the Building Management System (BMS). The potential harm that can be done by these types of valves can be significant as they control the temperature and humidity from the air handling units. Temperature and humidity affect the residence time/viability of viruses such as COVID-19. Increase the humidity, and you’ve just allowed the virus to remain viable for a longer time. It should be obvious that cybersecurity IoT in devices can be critical, yet are not being adequately addressed.