By connecting smart devices like lights, cameras, door locks and thermostats to the Internet, you may be making them — and you — visible to digital thieves or hackers.
“Every device connected to the Internet is a target,” said Theresa Payton, a former White House chief information officer and the founder and chief executive of Fortalice Solutions. A few recent news stories also illustrate the power these devices have.
One family’s living room Wi-Fi camera was infiltrated, allowing someone to not only control the camera and spy on them, but to broadcast sound — including a false report of a nuclear missile attack. We’ve also seen domestic abusers tap into smart home technology to intimidate and stalk former partners.
According to statistics website Statista, there will be about 42 million smart homes by the end of 2019, but little more than anecdotal evidence of security compromises. So while stories about hacks and privacy breaches are indeed scary, so far they’re also rare. The vast majority of smart home users aren’t getting hacked.
Still, as with any internet-connected device, taking precautions is essential. At Wirecutter, the New York Times company that reviews products, we’ve consulted with a range of experts who offered some tips that will go a long way toward protecting you and your home — and don’t require a lot of time, money or technical know-how. We’ve also done extensive testing of smart home devices and we consider a product’s security measures as part of our evaluation process.
Protect your network
One of the things that makes smart home devices “smart” is their ability to connect to the internet over your home’s Wi-Fi network. That’s why it’s essential that you properly secure it. If you don’t protect your Wi-Fi network with a password, or you only use the default password that came with your modem or router, all of your devices are exposed — the digital equivalent of leaving your front door wide open with a neon welcome sign overhead.
“People need to realize there’s actually catalogs of all those default passwords on the internet,” Ms. Payton said. Lock your network down with a password, one that is unique and not shared with any other accounts you have. Ms. Payton also suggests completely hiding your home network from view, an option in your router’s settings menu. “So when somebody drives by, they think you don’t have internet. They can’t see it,” she said.
You can add another layer of protection by isolating your smart home devices from your computers and smartphones using a guest network, a common option in many popular routers.
“That way, the devices will be sort of quarantined by themselves,” said David Templeton, an information security analyst at The New York Times. Doing this also makes it easier to take devices offline without having to upset your entire network.
Use unique passwords for everything
Many people make the mistake of using the same username and password combination on multiple devices or accounts. If any one of those combinations is discovered — as happens a lot, such as when giant companies like Facebook and Yahoo get hacked — an enterprising thief could try them out on popular banking websites, social networks, email providers and websites that allow control of smart devices.
You need to use unique passwords for everything — including shopping sites you visit, services you use, your home network and of course, each of your smart home devices. Remembering such an encyclopedia of passwords is functionally impossible, which is why Mr. Templeton suggests using a password manager, which not only creates unique passwords automatically but also keeps track of them across all your devices. Wirecutter has suggestions for the best ones to use here.
Stick with reputable brands
All of our security experts agree that it’s best to pick smart devices from established brands. Those companies have a reputation to protect, along with the infrastructure to back it up.
That also means they likely have the ability to employ better security measures when designing their products, and unlike no-name brands or many start-ups, you can reasonably expect them to release software patches and fixes if vulnerabilities are discovered. And naturally, we recommend reading good, high-quality reviews (and admittedly, we’re biased toward our own) before making a purchase.
Secure your devices
There are a few additional ways to further secure your smart devices. A number of companies now offer a verification system to control access to devices, called two-factor authentication. When you attempt to log into an app, a one-time-use code is sent to another of your devices, which then needs to be entered in the original app. It’s not perfect, but makes it virtually impossible for someone unwanted to access your accounts.
Also, many manufacturers allow you to opt into automatic hardware and software updates, something that will ensure the latest fixes get installed to repair new security vulnerabilities. Make sure you check the settings section of your devices’ apps and your smartphone’s app marketplace for updates to devices that don’t automatically do this.
Ms. Payton said she also reboots smart home devices once a week as an added security measure. “That reboot will actually make it grab any new security and privacy settings and downloads when it reconnects to the internet,” she explained. However, this is impractical for some devices, especially ones that are hard-wired into your home like in-wall dimmers and smart thermostats.
Reset before you resell
Just because you’re ready to ditch a device doesn’t mean it’s ready to forget you. After all, your Wi-Fi password and other personal info is often stored on that camera, smart plug or smart bulb. Before selling or recycling any device, be sure to do a factory reset first. Some devices require a button-press on the actual device, while others allow you to do it from the app. Either way, make sure that your info is no longer available through the app.
If a device is broken and you’re unable to wipe it clean, make sure it’s really broken and smash its components to pieces. According to the United States Computer Emergency Readiness Team, “Physical destruction of a device is the ultimate way to prevent others from retrieving your information.”
I like to think about all those times a device stopped working or disconnected from the network, and the idea of whacking it with a hammer. Just make sure you don’t hurt yourself in the process.
Whose responsibility is security?
There is mounting pressure on manufacturers to adopt better security practices. “The industry should be using strong encryption wherever possible, verifying firmware updates and inviting security audits,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation.
The E.F.F. and organizations like The Digital Standard and the Mozilla Foundation are pressuring companies and government bodies to put stronger security practices in place. But everyone we spoke to agrees that, for now, consumers need to be proactive about security.
“Honestly, given where we are and how businesses think about security and privacy, the onus is on you. Nobody can look out for your security and privacy like you can for you and your family,” Ms. Payton said.