Smart home gadgets are undeniably cool and sometimes appear in your house whether you buy them. And while the Internet of Things has advantages, these Internet-connected devices are still just computers and have similar security risks.
A researcher recently found that LIFX smart bulbs store Wi-Fi passwords without encryption. So, by chucking one of these bulbs in the trash, you’ve mostly made breaching your Wi-Fi network as simple as dumpster-diving.
Like a Trojan horse, another device can compromise secure devices on the same network. With multiple linked gadgets controlled by the same app, one compromised device can reconfigure all of them. Someone could even grab your phone and unlock your whole house while you’re in the bathroom.
Poorly secured IoT devices can even become weapons in the wrong hands. For example, well-known cybersecurity expert Brian Krebs found himself fighting off a botnet in 2016 that largely consisted of cheap internet-connected cameras with poor security.
The good news is that, at least for now, stories about data from smart bulbs popping open smart locks for burglars to take smart TVs are largely theoretical. Still, spotting risky gadgets before they cross your threshold can go a long way to keeping unwanted visitors out of your home.
Know what you’re buying.
Despite their name, many smart devices aren’t used for particularly clever purposes. A 2018 survey run by Adobe found that people mostly use smart speakers to play audio content such as music, news, and weather and set timers and alarms. They’re convenient when your hands are full, but remembering your phone can perform all the same tricks and more is worth remembering.
With that in mind, consider your needs before buying any internet-connected device. Would chatting with your washing machine be useful, or are you better off with the “dumb” version that won’t leak your email?
Secondly, consider where a device fits into your life and what chaos it may cause if turned against you. Will you put personal data on it? Do you plan to use it to buy things? And how much do you trust the company selling the device? If Facebook puts a camera in your house and gives you the willies, you should skip the Portal.
Understand how secure a device is
Before buying an internet-connected device, smart or not, learn its security features, setup process, and settings. If it uses a web portal, see if that Portal has an “https” prefix that marks it as secure. Also, find out if the site uses Transport Layer Security, or TLS, to ensure secure communications between applications, especially if sharing your personal information. Without these countermeasures, someone could hijack your data in transit.
If the gadget uses an app, research what permissions the manufacturer wants and what they do with the data they collect. Then, only download apps from first-party app stores. Apple bakes malware scans and developer background checks into its app verification process. At the same time, Google has an internal program that scans apps for malware and marks them as verified by Google Play Protect.
As for the device itself, confirm that you can manually set passwords or verification processes. Avoid gadgets with “hard-coded” passwords, where the password for every device made by the company is the same.
If the item you’re considering allows guests to access and control it remotely, look up whether that feature can be disabled, a setting often listed under “remote-management access.”
Check how they send data for devices that communicate with a server, such as security cameras. Ideally, they should use end-to-end encryption, which keeps data secret, even from the company that runs the servers. This type of security is relatively rare in older smart home devices but is more common in newer ones.
Buy brand names
Brand-name products aren’t any more secure than those made by a manufacturer you’ve never heard of, but well-known brands are more likely to fix problems through firmware updates and publicly acknowledge issues.
The big names will also regularly update their apps and software. If an app hasn’t been tweaked in a while, it may be a security risk, as regular updates defend against newly discovered errors, bugs, and other problems.
Brands may also send out alerts when they’re about to stop supporting a product. Those alerts are particularly important because the manufacturer has less incentive to fix newfound security issues as technology ages. Once your smart home tech ages to the point where it’s no longer being updated, it’s time to get rid of it.
