We asked Wendy Nather, director of advisory CISOs at Duo Security, for a reality check on what the real vulnerabilities in a smart home are. “The most prevalent threat is automated attacks that are trying to take over devices as they would personal computers, to assemble into a group that can be used for their own purposes,” she said. These threats often include denial-of-service attacks, cryptocurrency mining and stealing user passwords.
Fortunately, it’s easy enough for anyone to take a few extra steps as you’re setting up your smart home to stay protected. With Nather’s help, we put together a list of things to consider.
Keep everything up-to-date
You may already be in the habit of keeping your computer and smartphone updated but not always apply the same prudence to smart home devices. We really should, as basically every gadget that’s linked to an account and is constantly connected to the internet can be a prime target for botnets, which are typically the cause of those massive denial-of-service attacks.
It might sound like obvious advice to keep your devices updated, but that can be hard when you might not even have access to the firmware in the first place. “Sometimes you can’t update things on your own,” Nather said, which is why you should learn how to update a new device the minute you bring it home.
One way to stay on top of firmware updates is by regularly checking the manufacturers’ websites since it can take a while to push out updates for new vulnerabilities. Create a bookmark folder with links in your browser and check them often (or set a periodic reminder). The companion app for your internet-connected device might occasionally prompt you about updates, but you can usually manually dig into the app settings to check for new software, too. Either way, you should keep the firmware or operating system on all the devices you use in your home up-to-date, whether that’s your smartphone, tablet, computer, smart TV, set-top box or game console.
Check your passwords
We live in a world that’s so convenient, that there are even apps that can remember your passwords for you and generate new ones that are strong and complex enough that they won’t be cracked or forgotten. Nather suggests using such a password manager, like LastPass or 1Password.
Both services can spit out a random alphanumeric passcode and store them for you across platforms, which is especially helpful if you’re using your smartphone to log into your connected stuff. Browsers are taking note, too, with Safari offering a similar feature in Mojave for free. It might sound counterintuitive, but if you still need help remembering a password, write it down in a paper notebook. “It’s not likely that someone will break into your home to read the passwords in a book in your desk drawer,” Nather added.
Some connected devices may also arrive with a factory-set username and password. “If you can change the password from its current default, do that, and make sure to check it whenever your device is restarted,” Nather said. “Sometimes a reset will change it back to the default.”
Secure your network
It’s not the easiest way of configuring the smart home, but if your router can handle it, consider setting up a separate WiFi network just for your smart devices, including smart speakers and anything else you want tethered to one another. This ensures that all network traffic associated with home automation is diverted through a separate line from the one you use for your computers and mobile devices, where you’re more likely to access data like banking and email passwords. In the event of a denial-of-service attack, the line that’s hacked won’t be linked to sensitive information.
“Also, don’t share your WiFi with your neighbors,” cautions Nather. If you often have company over, consider setting up a guest network or using a mesh Wi-Fi router system to more plainly monitor network traffic between your devices and your guests. The Netgear Orbi, Google WiFi, and Eero are three kinds of mesh Wi-Fi options to consider and all are extremely user-friendly. They can help simplify the process of adding a guest network and checking to see what devices are tapped in.
Do your research
Connected devices, the smart home, the internet of things — whatever you want to call it, it’s a relatively new category of gadgets, so you shouldn’t just buy the first thing you see on sale. You never know what kind of vulnerabilities you’re introducing in the home through a nefarious third party, or whether the company updates its software enough to stay secure from the latest threats.
Before you click the buy button, check out what the internet has to say about it. Scour Amazon and Best Buy reviews (as well as ours, of course) and do a search for the product name and “security vulnerabilities.” Sticking to well-known brands will also mitigate the possibility of issues later on, since the manufacturer is more likely to have the resources to invest in consistent updates, not to mention a reputation to uphold.
Read the EULA
It’s oft said, but it bears repeating: Take a look at the terms you’re signing to before you’re logging on to a new connected device. Granted, you don’t have much control over what you’re agreeing to and it’s likely written in indistinguishable jargon, but you can look to other people’s experiences. “Search online to see whether someone has already researched where your data is going,” Nather said. “The legalese in an agreement won’t tell you specifically what you need to know.”
Mute if you have to
Inevitably, if you’re bringing in a digital assistant like the Amazon Echo into your home, you’re tethering your devices to a speaker with a microphone that’s constantly listening for your command. It’s majorly convenient for a hands-free household, but you might not feel so comfortable if you start to think of it as a direct line into your home.
That’s why sticking to well-known brands — Google, Amazon, Apple — is imperative if you’re bringing a smart speaker into your home, and even that’s not without risk. At the very least, all three of these companies bake in physical mute buttons, which aren’t easily bypassable. This is also why you might avoid some third-party versions of the Amazon Echo and the Google Home, since the brands behind them may not be regularly patching their devices. And if you still feel uneasy about a device that’s connected, convenience be damned — only plug it in when you need it.
In the end, the security of your smart home relies entirely on how much research and care you take before setting up too many devices. “As with any other type of computing, the advances in technology rush ahead of the means for securing them,” said Nather. “This means that the internet of things will tend to be just as insecure as it can possibly be before consumers clamor for change.”
To that end, it’s better to wait to adopt a new smart home gadget after it’s in its second or third generation. At least there are plenty of brands out there that have had enough iterations to work out the kinks. The smart home doesn’t have to be scary, as long as you take a few precautions beforehand.
All products recommended by Engadget were selected by our editorial team, independent of our parent company, Oath. If you buy something through one of our links, we may earn an affiliate commission.