Securing IoT devices against cybercrimes and smart home threats

The Internet of Things (IoT) encompasses the billions of devices connected to the web globally with sensors, software and processing capabilities. While smart home devices are designed to make our lives more convenient, they can also introduce serious security risks to both work and home life.

Abusing IoT devices has become popular among cybercriminals. More than 77 million IoT malware attacks were reported, while more than 700 ads on the dark web offered distributed denial of service (DDOS) attacks facilitated via IoT botnets in the first half of 2023 alone.

Securing smart home and other IoT devices is an important action to take.

Smart home devices have become ubiquitous. Smartphone apps enable individuals to monitor when their children come and go via security cameras, answer the doorbell, or adjust the heat at home — all while working at the office or while running errands.

While they may seem harmless, home IoT devices and their mobile applications often don’t have the security measures necessary to prevent third parties and cybercriminals from monitoring the homeowner’s daily routine or accessing personal and work information on connected devices. Their firmware can be outdated or contain unpatched vulnerabilities, and since it’s not unusual for patching or updating to fall to the bottom of the average homeowner’s priority list, these IoT devices can create security gaps in their network.

To be effective, IoT devices are constantly listening, watching and gathering information. If cybercriminals can hack into them and access that data, the question can switch from “Are you watching your TV, or is your TV watching you?”

The automatic content recognition embedded in smart TVs gives the manufacturer permission to track the shows watched and then share that data with third parties for programming recommendations and ad targeting. Knowing what else they do with the aggregate data once compiled is challenging. These manufacturers depend on consumers not understanding the extensive terms and conditions that permit them to access and store your data.

Many smart device manufacturers are in the business of collecting and selling our information for corporate gain. Yet that data could land in the wrong hands if one of those third parties experiences a breach. Individuals should research the kind of data is being collected, how it is collected and then set limitations whenever possible.

Those concerned about data privacy might consider giving up some smart device functionality — because a manufacturer cannot leak personal data it has not collected.

The value of connect devices or not

To minimize the security and privacy risks, individuals may want to think twice before connecting specific home devices to the internet. Here are a few device-specific issues to consider.

• Digital assistants: These devices may be great for convenience but not privacy. Providers of these devices have admitted to retaining logs of the questions users ask and even recordings of audio when the device is not in use. In addition to the personal privacy concerns, remote workers — especially those who handle sensitive company data — should view digital assistant devices as a potential threat.
• Security cameras and smart doorbells: Having the option to review recordings from in and around the home or providing that footage to law enforcement if something bad happens has its benefits. This functionality requires device providers to keep footage on the cloud, which could also give a bad actor direct, sometimes live information about what is happening in the home. At a minimum, it gives the device provider valuable information that can be used to create a profile of the home’s occupants, including likes, dislikes and movements. That information could be sold to marketing data brokers for lots of money.
• Smart fridge: Like any smart device, a smart refrigerator is an endpoint that a bad actor can compromise. By compromising the fridge, cybercriminals may be able to move across the network to access sensitive data on personal devices or work-from-home computers.
• Wi-Fi stoves: A threat actor who gains access to this device could turn up the heat, creating a physical risk to the home and the people inside. Similarly, a cyberbully could use such devices to annoy someone or raise utility bills.
• Baby monitor: Strangers have been known to interact with children via cloud-based baby monitors—something that many parents would likely consider a significant privacy risk. Hacked monitors can also be used to eavesdrop on nearby phone calls, creating a risk for remote workers.

Using smart IoT devices safely

Every individual needs to consider the risks associated with each new smart device. Here are a few tips to help manage those concerns. Start by only purchasing from manufacturers that have a strong reputation for security and data privacy — and that back it up via contractual language. Then, to further protect the device and your network:

1. Change default settings.Be sure to change the default username and password before using a device. Use a complex password or passphrase, and never use the same passwords for multiple devices or accounts.
2. Install software updates.Most smart home devices don’t update their firmware automatically, so ensure all devices’ software and operating systems are up-to-date before using them.
3. Consider turning off automatic content recognition.The risks from automatic content recognition is addressed above, so Consumer Reports provides a step-by-step guide to limiting the data that a smart TV can collect.
4. Deploy two-factor/multi-factor authentication (2FA/MFA). Adding the additional verification step prevents criminals from simply using stolen login credentials. Activate this protection on everything account and device you can and, if possible, use a phish-resistant MFA.
5. Safeguard your internet router. Set up your router with a unique name and create strong passwords to prevent others from accessing your Wi-Fi. This can help protect your network and any devices connected to it.