Credit: René Ramos/Lifehacker/Jason marz, Javier Zayas Photography/Moment, Violka08/iStock via Getty Images
Smart home devices can streamline a lot of your day-to-day tasks: With an internet connection and some simple automations, you may never have to carry house keys, turn off the lights, or touch your thermostat. But all of this convenience comes at a potential cost, as smart tech is vulnerable to attack by cyber actors, leaving your personal data and your privacy at risk.
Here’s what you need to know to secure your smart home.
Is your smart home secure?
The short answer: not by default. Smart homes have vulnerabilities at multiple levels, from the devices themselves to your home network to the physical endpoints, like your phone, that have access to and control over your Internet of Things (IoT).
To start, IoT devices may have weak built-in security protocols or lack clear instructions to help users lock them down from factory settings, leaving them open to hackers, who have to exert very little effort to access your data or spy on you. Wifi routers and smart home devices often have default credentials that are publicly available and therefore easy to get past—and data show that the vast majority of users have never changed their router admin password or adjusted any factory settings. If your home network isn’t secure, nothing connected to it can be considered secure either.
Smart devices can also be integrated into botnets, allowing threat actors to conduct malicious activity like account takeovers and malware distribution using your home network. A recent instance of this was a campaign known as BADBOX 2.0, which targeted off-brand consumer electronics manufactured in China.
Bill Budington, a senior staff technologist at the Electronic Frontier Foundation (EFF), notes the digital divide may increase the risk for some consumers, who may seek out cheaper devices from low-cost manufacturers that have weaker security and far less to lose in terms of reputation if they are implicated in vulnerabilities compared to companies like Amazon.
Finally, security can be compromised if your physical devices fall into the wrong hands. For example, if you control your smart home using apps on your phone, a threat actor could gain access in the event said phone is lost, stolen, or hacked.
Smart homes can compromise privacy
Left unsecured, smart home devices can also put your privacy (and potentially your safety) at risk. Internet-connected cameras, from baby monitors to pet cams, are vulnerable to hacking, and threat actors can use them to surveil you and your home. This may include snooping on and tracking your movements, “shoulder surfing” to collect sensitive personal information, recording audio and video footage of your private activities, and sharing or selling live feeds on the dark web. (In a particularly alarming incident in 2018, a hacker reportedly issued verbal threats toward a four-month-old through a Nest-brand baby monitor.)
Your smart tech is likely collecting a lot of information about you in the course of its normal activities—all of which could be exploited. For example, your robot vacuum creates and utilizes a map of your physical layout to know where to go, and usage patterns from various automations can be used to track your movements and confirm when you’re away from home.
There’s also the possibility that your smart home devices are compromising your data in ways you aren’t aware of and haven’t actively consented to. A 2023 report from security experts—led by the nonprofit IMDEA Networks and Northeastern University—shows that IoT devices may inadvertently expose personal information that can be harvested and sold to companies involved in surveillance capitalism. Researchers found that spyware apps and advertisers abuse local network protocols to access sensitive data, making it easier to profile users.
No security standards for smart homes
There isn’t a single set of cybersecurity standards that smart home companies have to follow or an easy, centralized resource for users to research this information. Earlier this year—during the last few weeks of the Biden administration—the Federal Communications Commission launched the U.S. Cyber Trust Mark voluntary labeling program to incentivize device manufacturers to improve security and help consumers buy with confidence. However, the agency later launched an investigation into the program, delaying its rollout.
For now, consumers are left to do their own due diligence. In 2017, the nonprofit Mozilla Foundation created a resource called *Privacy Not Included, with reviews of products measured against “minimum security standards” and breakdowns of any privacy concerns. The site doesn’t appear to have been updated in the last year, but you can still find detailed information about the privacy and security history of well-known smart home manufacturers like Amazon, Google, Wyze, and Ecobee.
Otherwise, Budington suggests simply searching the device you’re considering (and the company that makes it) before buying to see if researchers or users have reported any concerns.
What do you think so far?
How to improve smart home security
Securing your smart home starts with securing your internet connection via your router. We’ve got a whole guide to protecting your home network, but at the very least, you should change any default router settings—admin usernames, passwords, and network names—to something unique and not personally identifiable and turn on encryption in your wireless security settings. Regularly check for updates, which provide patches for security flaws, and audit the devices connected to your network to identify anything suspicious and remove those you no longer use.
You can add another layer of security with a guest network set up specifically for your IoT devices. That way, if your smart devices are compromised, everything connected to your primary network (such as computers and phones with access to your personal and financial accounts) will be protected.
According to Budington, one way to further mitigate vulnerability is to reduce the number of devices with their own wireless connection, running them through a secure, centralized hub instead. Home Assistant is a self-hosted option that can be installed on a Raspberry Pi or a traditional PC or used with the plug-and-play Home Assistant Green. Hubitat also gives you local control over your device data and integrates with a variety of products, including those compatible with the Zigbee, Z-Wave, and Matter standards.
Once your network is secure, you’ll want to take similar steps with each of your IoT devices. Change default usernames and passwords to unique, secure alternatives and enable all available security features, such as two-factor authentication and encryption, in the device settings. Ensure your devices (and any apps used to control them) receive automatic firmware updates.
You should also check your device’s privacy settings, removing permissions that aren’t essential for it to function and disabling features you won’t use. For example, you could turn off location tracking on your smart thermostat and disable voice control for devices other than your voice assistant.
Finally, while we’ve focused mostly on digital threats, your smart home isn’t immune to physical compromise. Be aware of ways your devices can be accessed, such as those installed on the exterior of your house, and ensure phones and tablets and the apps on them that control IoT devices are secured with a PIN or biometric authentication.
Remember that, by nature, anything connected to the internet is at least somewhat vulnerable to attack. You’ll have to consider your own risk tolerance and weigh the convenience of having a smart device against the potential for it to be compromised—and your privacy along with it. You may find that there are some things that you simply don’t need to automate, and therefore you can stick with the “dumb” alternative.
