The pursuit of tiny computing and sensor devices become a big chal- lenge in the Internet of Things (IoT) era. The process of powering such small-size wireless nodes becomes more difficult as the battery adds extra weight, size, and cost. Additionally, batteries replacement is impractical for the expected massive IoT connectivity especially in inaccessible environments, while recharging is very diffi- cult in multiple scenarios. Ambient backscatter communication (AmBC) solves this problem by leveraging existing radio-frequency transmissions for wirelessly pow- ering battery-free nodes. Due to the limited computational power of such nodes, high-complexity security and authentication protocols are infeasible. Consequently, it is imperative to exploit low-complexity techniques such as physical-layer secu- rity (PLS). PLS is a key-less security technique that relies on the randomness of the communication channel between the transceiver nodes for securing the trans- mitted message. In this work, we consider the PLS of an ambient backscattering IoT (AmBC-IoT) system. In AmBC-IoT system, backscattering IoT devices (BDs) form a symbiotic system, in which the access point (i.e., radio frequency source) supports not only the conventional legacy receiver but also the IoT transmission. Specifically, we derive closed-form expressions for the secrecy outage probability and the ergodic secrecy rate under passive eavesdropping. Additionally, we provide asymptotic analysis for both metrics to gain insights on the effect of different param- eters on the performance. The accuracy of the analytical results has been validated by extensive simulations.