How to buy smart—and secure—gadgets
The Internet of Things is cool, but it can be risky. Here’s how to protect yourself.
This story has been updated. It was originally published on March 27, 2019.
Smart home gadgets are undeniably cool and sometimes show up in your house whether you buy them or not. And while the Internet of Things has its advantages, these internet-connected devices are still just computers and come with similar security risks.
In 2019, a researcher found that LIFX smart bulbs were storing WiFi passwords without any encryption whatsoever. So by chucking one of these bulbs in the trash, you’d essentially make breaching your WiFi network as simple as dumpster-diving. It’s unclear whether or not the company has addressed this issue since then.
Even secure devices can be compromised by another device on the same network—like a Trojan horse. With multiple linked gadgets controlled by the same app, one compromised device can potentially reconfigure all of them. Someone could even grab your phone and unlock your whole house while you’re in the bathroom.
Poorly secured IoT devices can even become weapons in the wrong hands. Well-known cybersecurity expert Brian Krebs, for example, found himself fighting off a botnet in 2016 that largely consisted of cheap internet-connected cameras with poor security.
The good news is that, at least for the moment, stories about data from smart bulbs popping open smart locks for burglars to take smart TVs are largely theoretical. Still, spotting risky gadgets before they cross your threshold can go a long way to keeping unwanted visitors out of your home.
Know what you’re buying
Despite their name, a lot of smart devices aren’t used for particularly clever purposes. A 2018 survey run by Adobe found people mostly use smart speakers to play audio content such as music, news, and weather, and to set timers and alarms. They’re convenient when your hands are full, but it’s worth remembering your phone can perform all the same tricks and more.
With that in mind, consider your needs before buying any internet-connected device. Will it be useful to chat with your washing machine, or are you better off with the “dumb” version that won’t leak your email?
Secondly, think about where a device fits into your life and what chaos it may cause if turned against you. Will you put personal data on it? Do you plan to use it to buy things? And how much do you trust the company selling the device? If Facebook putting a camera in your house gives you the willies, for example, you should probably skip the Portal.
Understand how secure a device is
Before you buy an internet-connected device, smart or not, make sure you learn its security features, setup process, and settings. If it uses a web portal, see if that portal has an “https” prefix that marks it as secure. Also find out if the site uses Transport Layer Security, or TLS, to ensure secure communications between applications, especially if it’s sharing your personal information. Without these countermeasures, someone could hijack your data in transit.
If the gadget uses an app, research what permissions the manufacturer wants and what they do with the data they collect. Then, only download apps from first-party app stores. Apple bakes malware scans and developer background checks into its app verification process, while Google has an internal program that scans apps for malware and marks them as verified by Google Play Protect.
As for the device itself, confirm that you’re able to manually set passwords or verification processes. Avoid gadgets with “hard-coded” passwords, where the password for every device made by the company is the same.
If the item you’re considering allows guests to remotely access and control it, look up whether that feature can be disabled, a setting that’s often listed under “remote-management access.”
For devices that communicate with a server, such as security cameras, check how they send out data. Ideally, they should use end-to-end encryption, which keeps data secret, even from the company that runs the servers. This type of security is relatively rare in older smart home devices, but is more common in newer ones.
Buy brand names
Brand-name products aren’t any more secure than those made by a manufacturer you’ve never heard of, but well-known brands are more likely to fix problems through firmware updates and to publicly acknowledge issues.
The big names will also regularly update their apps and software. If an app hasn’t been tweaked in a while, it may be a security risk, as regular updates defend against newly discovered errors, bugs and other problems.
Brands may also send out alerts when they’re about to stop supporting a product. Those alerts are particularly important because as technology ages there’s less incentive for the manufacturer to fix newfound security issues. Once your smart home tech ages to the point where it’s no longer being updated, it’s time to get rid of it.
Our homes will inevitably become smarter, and that will be a good thing, saving energy and money. However, all technology has its flaws, and it’s critical to keep an eye out for problems before they get turned against us.