We’re increasingly welcoming internet-connected smart devices – voice assistants, security cameras, even light bulbs – into our homes and businesses. These devices, sometimes known as Internet of Things (IoT) devices, can add a lot of convenience and functionality, but they can also bring some risks. Cybercriminals have hijacked security cameras and baby monitors, and smart devices are often made and installed without much concern for security. An attacker might not be able to compromise your laptop, but what if they could compromise your internet-connected thermostat and use that to intercept sensitive traffic in your network or cause other mischief?
In this article we’ll give you a few tips for how you can better select and secure those smart devices this holiday season.
Before you buy
Here are a few things to consider if you’re shopping for a smart device.
First...is it worth it?
There’s a certain appeal to having a “smart home” where everything from your garage door to your toaster is connected and working together, all centrally controlled by you. But before you buy or set-up a smart device consider if the value is worth the risk.
For example, Wi-Fi connected kitchen appliances are becoming more common. But is a “smart oven” worth it if all it really does is send an alert to your smartphone to tell you that it’s preheated, or the timer is done? Is the “smart fridge” worth it if it only tells you that it’s time to replace the water filter?
The easiest devices to secure are the ones you never connect in the first place. If your smart devices aren’t really that smart, don’t connect them to your network. They still bake cookies and chill drinks just fine without the Wi-Fi password.
Look for certain features
When it comes to the security of your smart devices there are certain features that are must-haves.
Encrypted wireless - Any device you’re going to connect to your network should support Wi-Fi Protected Access (WPA) 2.0 or newer.
Updatable - It should have a way to update the firmware on the device if vulnerabilities are found and the manufacturer should make it easy for you to find and install those updates.
Tip: Bonus points if the device downloads and installs firmware updates automatically!
If it’s not clear on the packaging or manufacturer’s website that the device has these things, consider contacting the manufacturer to ask.
Get to know the company’s data policies
Yes, we know that reading Privacy Statements, Service Agreements, or Terms of Service isn’t everybody’s idea of a good time, but there’s a lot of information in there that can be important to know before you get a device that’s going to live in your home or business. If you’re not going to read the whole thing, at least scan it for these important items.
What data are they collecting?
Is your smart fridge going to track how often you open and close the door? Is your smart lock going to log your comings and goings? Does your video doorbell do facial recognition? Look for some indication of what data the smart device is collecting about you and your environment.
What are they going to do with your data?
Look for some kind of statement of data use. This will usually tell you what the company intends to do with any data they collect. For example, if your smart fridge is tracking the last time you changed the water filter do they claim the right to use that information to sell you more water filters? Is your fitness watch going to share your daily step count with your health insurance company?
Is your data encrypted?
Is the privacy of your personal information being protected by encryption both in transit and at rest? Look for some assurances that they’re protecting your data from outside attackers not only on the device, but also while it’s being transmitted to their service, and when it’s being stored on their service.
Where is your data stored?
Different companies and different geographic regions have different rules for how data is protected. Look for any information about where your data will be stored. You don’t need the street address, but the general geographic region or jurisdiction it’s going to be kept in can be good to know.
And while you’re at it, how long do they intend to keep that data?
Ready to install?
You’ve unboxed your nifty new device and you’re ready to install. Here are a few things you should do to make sure the device is as secure as possible.
Change the default username and password
All smart devices have a control panel or administrator console of some kind and there is going to be a way to access that console. That console is where you tell the vacuum when to start or stop, tell the thermostat what time zone you're in, or change other settings. Usually, it’s done in a web browser or thru a dedicated app. Either way there will be some way to sign into it. If you can change the administrator username you should do that, but even if you can’t change the username, you MUST change the default administrator password.
Tip: Ideally change the default username and password before connecting the device to the internet. If you can't, then just change it as soon as possible.
Any device that doesn’t allow you to select your own, strong, password for the administrator account is unacceptable.
For tips on selecting a good password see Create and use strong passwords.
Give them their own space
One of the best ways to keep your network safer, while still enjoying your smart devices, is to keep them separate from your primary devices like your laptops or smartphones. The way to do that is to set them up on a separate Wi-Fi network from the one that your laptops and smartphones connect to.
Don’t worry, you probably don’t need to buy a second Wi-Fi router to do this. All modern Wi-Fi routers support either creating multiple Wi-Fi networks, with separate SSIDs (the name you see when you try to connect to it), or turning on guest Wi-Fi, which also creates a separate wireless network. Create a second network, or enable guest Wi-Fi, and connect your smart devices to that separate network. That keeps them isolated from your primary Wi-Fi so even if they get compromised, an attacker can’t use them to get to your laptop or smartphone, or snoop on the traffic you send from those devices.
Important: Naturally that second network should be properly secured with encryption and a good password.
For more tips on securing your wireless networks see Be safer over wireless connections.
Keep them updated
You’re probably familiar with updates for your computer or your smartphone; smart devices often have important updates too. Smart devices have software built-into them which controls how they operate. That software is written to the hardware and isn’t easy to modify so we call it “firmware”. From time to time the manufacturer may release an update for that firmware that may contain new features, fix problems, or patch security holes.
It's important to keep your smart devices up-to-date with the latest firmware. If your device automatically checks for, and installs, updates on its own that’s the best situation. Then you only need to check it occasionally to make sure that process is running smoothly. But many devices will require you to log into the administrator console or app – or even the manufacturer’s support website – to manually check for, download, and install the new firmware.
The process is usually pretty easy, and it’s something you should do regularly – at least monthly.
Note: You should also make sure your Wi-Fi routers and other network devices have their latest firmware.
Smart devices like voice assistants, video doorbells, toys, and speakers can bring a lot of fun and functionality to your home or office. With great power comes great responsibility though, so be thoughtful about the devices you welcome into your place, and be sure to deploy and maintain them securely.