It seems that everything is getting connected to the internet these days — even toothbrushes, toilets and toasters. Though these examples may not yet be mainstream, there are many “smart” or “internet of things” (IoT) devices in common use — speakers with voice assistants, thermostats, video doorbells, lighting systems and TVs — that promise better home security, energy savings, convenience, peace of mind and many other benefits.
Yet many of these devices and services have poor or non-existent security protections. And unbeknownst to consumers, many also collect significant amounts of sensitive data. What are the risks of this lack of security and overcollection of data? They have been highlighted in headlines and range from annoying (someone changing television channels or messing with volume) to creepy (someone watching or listening to your family without permission) to thievery (using these devices to capture sensitive information and conduct identity theft) and even to physically dangerous (via access to the home, power cycling of appliances to start a fire or control of thermostats during extreme cold or heat).
Perhaps most distressingly, it was found that some children’s connected toys could be used as surveillance devices and could be used to lure children away from their homes. These toys were banned or removed from shelves. There’s also the use of smart devices as “bots” to attack other sites on the internet, as we saw when vulnerable security cameras were used to bring down portions of the internet in late 2016.
With all of these potential risks, what can consumers do to keep themselves and their families safe?
- Buy smart: When purchasing devices, research their security and privacy status. Have there been any reports of security issues or abuses of privacy? Can the password be changed? Can they be upgraded?
- Change the default passwords:Some devices automatically come with unique passwords, but most have a generic default password that’s easily discoverable. If you don’t change it, attackers can easily get access, exposing your entire network. Be sure to use strong, unique passwords for each device and service.
- Stay updated: Some devices automatically update, but most don’t. Find out how to check for software and firmware updates for each device and do it regularly (ideally at least monthly). Most companies will release updates when they patch security vulnerabilities, and you don’t want to be left exposed. This goes for the mobile applications that control the devices as well.
- Set up separate, safe networks:Many routers allow multiple WiFi networks to be set up. Use one for your smart home devices and a separate one for your computers. That way, if someone gains access through your IoT network, they won’t have easy access to the information on your computers. And be sure to turn on the router’s firewall and use an encrypted WiFi connection.
- Regularly reset devices:If attackers do get access, malicious code that they load is often stored in memory and will be cleared during a reset. Even if you aren’t sure a device has been infected, it’s good practice to regularly reset devices.
- Turn devices off when not in use: Even if you believe the devices have not been compromised, why leave them on (especially those that can monitor you in some way) when you don’t need them?
Over time we expect that suppliers of these smart devices will design better security and privacy into their offerings, but in the meantime we can all take steps to protect ourselves and the internet from harm.