How to Protect Your Smart Home From Hackers

By connecting smart devices, such as lights, cameras, door locks, and thermostats, to the Internet, you may be making them—and you—visible to digital thieves or hackers. “Every device connected to the Internet is a target,” said Theresa Payton, former White House CIO and founder/CEO of Fortalice Solutions. And a few recent news stories illustrate the power these devices wield. One family’s living room Wi-Fi camera was infiltrated, allowing someone to not only control the camera and spy on them, but to broadcast sound—including a false report of a nuclear missile attack. We’ve also seen domestic abusers tap into smart-home technology to intimidate and stalk former partners.

According to Statista, there will be about 42 million smart homes by the end of 2019, but little more than anecdotal evidence of security compromises. So while stories about hacks and privacy breaches are indeed scary, so far they’re also rare, and the vast majority of smart-home users aren’t getting hacked. Still, as with any Internet-connected device, taking precautions is essential. We’ve consulted with a range of experts who prescribed a few measures that will go a long way toward protecting you and your home—and don’t require a lot of time, money, or technical know-how. Wirecutter has done extensive testing of smart-home devices and we consider a product’s security measures as part of our evaluation process.

Protect your network

One of the things that makes smart-home devices smart is their ability to connect over your home’s Wi-Fi network, which is why it’s essential that you properly secure it. If you don’t protect your Wi-Fi network with a password or you only use the default password that came with your modem or router, all of your devices are exposed—the digital equivalent of leaving your front door wide open with a neon welcome sign overhead. “People need to realize there's actually catalogs of all those default passwords on the Internet,” Payton says. Lock your network down with a password, one that is unique and not shared with any other accounts you have. Payton also suggests completely hiding your home network from view, an option in your router’s settings menu. “So when somebody drives by, they think you don’t have internet. They can’t see it,” she said.

You can add another layer of protection by isolating your smart-home devices from your computers and smartphones using a guest network, a common option in many popular routers. “That way, the devices will be sort of quarantined by themselves,” said David Templeton, information security analyst at The New York Times (parent company of Wirecutter). Doing this also makes it easier to take devices offline without having to upset the entire network.

Use unique passwords for everything

Many people make the mistake of using the same username and password combination on multiple devices or accounts. If any one of those combinations is discovered—as happens a lot, such as when giant companies like Facebook and Yahoo get hacked—an enterprising thief could try them out on popular banking websites, social networks, email providers, and websites that allow control of smart devices. You need to use unique passwords for everything—including shopping sites you visit, services you use, your home network, and each of your smart-home devices. Remembering such an encyclopedia of passwords is functionally impossible, which is why Templeton suggests using a password manager, which not only creates unique passwords automatically but also keeps track of them across all your devices.

Stick with reputable brands

All of our security experts agree that it’s best to pick smart devices from established brands. Those companies have a reputation to protect, along with the infrastructure to back it up. That means they likely have the ability to employ better security measures when designing their products, and unlike no-name brands or many startups, you can reasonably expect them to release software patches and fixes if vulnerabilities are discovered. And, naturally, we always recommend consulting a good source for reviews before making a purchase.

Secure your devices

There are a few additional ways to further secure your smart devices. A number of companies now offer a verification system to control access to devices, called two-factor authentication. When you attempt to log into an app, a one-time-use code is sent to another of your devices, which then needs to be entered in the original app. It’s not perfect, but makes it virtually impossible for someone unwanted to access your accounts. Also, many manufacturers allow you to opt into automatic hardware and software updates, something experts recommend to ensure the latest fixes get installed to repair new security vulnerabilities. Make sure you check the settings section of your devices’ apps and your smartphone’s app marketplace for updates to devices that don’t automatically do this.

Payton said she also reboots smart-home devices once a week as an added security measure. “That reboot will actually make it grab any new security and privacy settings and downloads when it reconnects to the Internet,” she explained. However, this is impractical for some devices, especially ones that are hardwired into your home like in-wall dimmers and smart thermostats.

Reset before you resell

Just because you’re ready to ditch a device doesn’t mean it’s ready to forget you. After all, your Wi-Fi password and other personal info is often stored on that camera, smart plug, or smart bulb. Before selling or recycling any device, be sure to do a factory reset first. Some devices require a button-press on the actual device, while others allow you to do it from the app. Either way, make sure that info is no longer available through the app.

If a device is broken and you’re unable to wipe it clean, make sure it’s really broken and smash its components to pieces. According to the United States Computer Emergency Readiness Team, “Physical destruction of a device is the ultimate way to prevent others from retrieving your information.” We like to think about all those times it stopped working or disconnected from the network, and start whacking it with a hammer. Just make sure you don’t hurt yourself in the process.

Whose responsibility is security?

There is mounting pressure on manufacturers to adopt better security practices. “The industry should be using strong encryption wherever possible, verifying firmware updates, and inviting security audits,” said Bennett Cyphers, one of the staff technologists at the Electronic Frontier Foundation. The EFF and organizations like The Digital Standard and the Mozilla Foundation are pressuring companies and government bodies to put stronger practices in place. But our experts agree that, for now, consumers need to be proactive about security. “Honestly, given where we are and how businesses think about security and privacy, the onus is on you. Nobody can look out for your security and privacy like you can for you and your family,” Payton said.

Sources

1. Grant Clauser, Are Smart Homes Open Houses for Hackers?, Wirecutter, November 6, 2018

2. Bennett Cyphers and Lee Tien, Electronic Frontier Foundation, email interview, March 4, 2019

3. Luke Denne, Greg Sadler, Makda Ghebreslassie, We hired ethical hackers to hack a family's smart home — here's how it turned out, CBC Marketplace, September 30, 2018

4. Nicholas Fearn, Hacking the home: how connected tech is making your shack a security risk, TechRadar, August 19, 2017

5. Jane C. Hu, How one lightbulb could allow hackers to burgle your home, Quartz, December 18, 2018

6. Theresa Payton, former White House CIO and founder/CEO of Fortalice Solutions, phone interview, February 22, 2019

7. Michiel Prins, ethical hacker and co-founder of HackerOne, phone interview, February 28, 2019

8. Brad Russell, research director, Connected Home, Parks Associates, email interview, February 28, 2019

9. David Templeton, information security analyst, The New York Times, phone interview, February 19, 2019

10. Consumer Technology Association, Recommended Best Practices for Securing Home Systems (PDF), December 2015

11. SSI staff, Hacker Speaks Through Nest Camera, Gives Victim Security Tips, Security Sales & Integration, December 21, 2018