Chances are, you’ve seen some hair-raising news stories over the past few years about hackers gaining access to smart home devices, using baby monitors and security cameras to spy on users and sometimes even communicate with them. Nest has drawn the most headlines for these types of stories — see exhibits A, B, and C — but that’s mostly because it’s the most popular manufacturer out there. Competitors like SimpliSafe and Ring certainly haven’t been immune, either.
Research suggests that these aren’t just sensationalist news stories. According to a 2017 Norton report on cyber security, 7% of consumers have had someone gain unauthorized access to a smart home device, with another 13% knowing someone who has.
The good news is that reputable companies are constantly updating their security measures, so as long as you follow some simple precautions, you should feel perfectly comfortable using your smart home devices.
Why Would Someone Want to Hack Into Your Smart Devices?
There’s no single reason why these attacks occur. As the computer networking company NETSCOUT noted in its 2018 Intelligence Report, “The DDoS landscape is driven by a range of actors, from malware authors to opportunistic entities offering services for hire.” Motivations can range from simple hacktivism to more nefarious extortion and state-sponsored attacks.
While the creepiest stories usually grab the headlines, most hackers aren’t interested in messing with you. Your smart home devices are pawns in a larger game. “There are a number of reasons that cyber-criminal organizations would want control of our home IoT (Internet of Things) devices,” says Frances Dewing, CEO at cybersecurity company Rubica. “By infecting these smart devices with certain kinds of malicious programs, hackers can remotely control the devices and turn them into an army of thousands or millions of IoT robots.” As Asaf Ashkenazi, Chief Strategy Officer at Inside Secure, put it, “The target is not you. Your device is the target, but they’re using the device to attack somebody else.”
Your device can be used to launch DDoS (distributed denial-of-service) attacks, mine cryptocurrency, and hide criminal activity behind your network. One such DDoS attack in 2016 used a malware strain called Mirai to enlist connected devices to help shut down large swaths of the internet. As cybersecurity site KrebsOnSecurity wrote at the time, “Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.”
That said, while most breaches use your device for passive attacks like DDoS, it’s possible that your personal data may also be at risk in some cases. “The devices that make up a smart home can be a treasure trove for hackers,” Nate Lesser, CEO of cybersecurity company Cypient Black, told us. “Hackers can use a vulnerable smart home device to compromise other devices on your network — stealing financial information, health care records, or the equivalent sensitive information from your loved ones.” Ashkenazi agreed, saying, “What’s scary is that once they access the device, it’s not just that device that’s compromised. They now have a device that’s trusted in your network which they can use to access the data and traffic passing through your home network and the devices on it.”
How Your Connected Devices Get Hacked
The most common way to gain access to smart devices isn’t really a “hack” at all — criminals can simply log in using passwords that have been compromised through breaches on other websites. “Poor cyber hygiene such as reusing passwords and not using multi-factor authentication is the most common way in,” Dewing told us.
It’s also fairly easy for hackers to get in using default factory-set usernames and passwords. “If you haven’t changed to a custom password, then your device has the default one and these are easily discoverable and hackable,” Dewing says. To illustrate, researchers at Ben-Gurion University found that it took less than 30 minutes to do a Google search to track down a list of default passwords for the brand they wanted to hack into.
In other cases, the problem is with the manufacturer itself. “If it’s connected to the internet, potentially anyone can access the device,” Ashkenazi told us. “But the device is supposed to be able to authenticate the entities who are trying to access it. A lot of the problems come from companies using weak authentication methods that can be easily hacked.” That’s why it’s so important to invest in brands that place a premium on security.
How to Protect Yourself
With all that said, the best way to get hackers out of your home is to never let them in in the first place. As Lesser put it to us, “An ounce of protection is better than a pound of cure.” Here are some best practices for using connected devices in your home.
Stick to established brands
It’s best to stick to names you recognize when it comes to smart devices. Companies that have been in the market for longer have reputations to uphold and have likely gone through several rounds of software updates to fix bugs and improve security.
While companies like Nest and Nokia aren’t invulnerable to hacks, you can be confident that they’ll move quickly if a flaw is exposed. These companies also have thorough security measures like two-factor authentication that eliminate the most common points of access. To see the products we feel confident in, check out our reviews of home security systems, home security cameras, and smart hubs.
Update the device’s software
Every expert we spoke with emphasized regular software updates as the best way to keep your devices secure. “What the hackers are doing is scanning the internet and finding out which versions of software are running with the device. When they find a device that’s running an old version, they don’t need to be much smarter or develop any attacks. They just use well-available tools to use this vulnerability to access this device,” Ashkenazi says. In other words, when a device is running an old version of software, hackers have ready-made strategies for getting into them. “The best way to fight today in security is to just patch it fairly quickly before the hackers have managed to do something.”
When you purchase a smart device from a well-established brand, it should periodically provide software updates to address security issues. Many products, like Nest, update their software automatically, although you might have to enable this option. With other companies, it’s up to you to regularly check for and install updates. In some cases, that means plugging the device into a computer.
Use a unique password
Because most “hacks” occur simply by logging in with factory-set passwords, or ones compromised from other sites, it’s important to make sure that your passwords on connected devices are unique. Some password best practices include:
- Using long passwords
- Using random strings of characters
- Spacing out special characters
There are also a number of free password managers out there if you only want to remember one.
In addition, we recommend using an extension like Password Checkup by Google. When you sign in to an account, this will automatically check to see if your credentials were exposed by any data breaches.
Enable two-factor authentication
If your smart device offers two-factor authentication, take advantage of it. This means when you log in from a new device, you’ll be sent a unique code to your phone via text or voice call to confirm your identity.
Companies like Nest and ADT have made two-factor authentication a priority for their connected devices, as it essentially eliminates the low-hanging fruit for most hackers. In response to one recent hack that garnered a lot of publicity, Nest released a statement saying, “These recent reports are based on customers using compromised passwords (exposed through breaches on other websites). In nearly all cases, two-factor verification eliminates this type of the security risk.”
Make sure your network is secure
Strong cybersecurity starts with your router. If you’re using an older router that doesn’t support WPA2 (WiFi Protected Access 2) security encryption, it’s time to get a new one. WPA2 has been used on all WiFi hardware since 2006 and is continuously updated with the latest security, authentication, and encryption protections.
All of our top picks for wireless routers are WPA2-equipped, so we recommend starting there. Once you have a router you’re comfortable with, make sure the firewall is enabled. You should be able to find instructions for this in the router manual; if you can’t, Lifewire has a great walkthrough of the process here. Finally, remember to change the the default log-in credentials on your router as soon as you start using it.
Most of the experts we spoke with also recommended setting up a second WiFi network for your smart devices. “You should plug home automation devices into a network that’s isolated from the network you use for computers, tablets, and phones,” Lesser says. This keeps traffic separate from your general browsing activity, which is more likely to contain sensitive information like banking passwords. Because smart home devices tend to be more vulnerable than PCs or smartphones, this adds an extra layer of security. Some routers are able to set up multiple networks — this guide from Lifewire walks you through the process — but in most cases you’ll need to purchase a second router.
Use an identity theft protection service
In reality, there’s no panacea for securing your information short of staying offline entirely. If you want even more peace of mind, consider an identity theft protection service. For around $20 per month, these services monitor your credit and personal information and alert you to any suspicious activity. They can also exercise power of attorney to help you efficiently restore your identity in the event that it’s stolen.
How to Tell If Your Device Has Been Hacked
Unfortunately, you may never know if your smart home device has been compromised. “Sometimes there are no obvious signs. It can be easy for cyber attackers to hide and blend in with legitimate device traffic,” Dewing told us. Babak D. Beheshti, dean of the College of Engineering and Computing Sciences at New York Institute of Technology, agreed, saying, “If the criminals have done a good job, it is very difficult to tell if your devices are compromised.”
The biggest red flag for all connected devices — from baby monitors to voice assistants — is slower performance. “If your device is responding slower than before, it can mean that it is running some extra malware that is slowing its normal operation,” Beheshti says, adding, “If your device is battery powered, you may notice that the battery drains more quickly than before.”
If you notice some serious lag on your devices, check your home’s bandwidth consumption with your internet provider. Sudden spikes in data without changes in activity is a good sign that you need to take some additional steps, like changing your passwords and setting up encryption.
You can also use BullGuard’s Internet of Things Scanner, which can check if your connected devices appear on the search engine Shodan, a search engine for exposed devices. If anything shows up on the scan, immediately take it offline and check for any software updates. You can also use the site haveibeenpwned.com to find out if your email addresses are associated with any data breaches.
What to Do If Your System Has Been Hacked
If you suspect that your device has been hacked, there are a few things you should do immediately. First, disconnect it from the network. “As long as it is connected, it is helping the criminals,” Beheshti says.
From there, check to see if there are any software updates available online. If there are, installing them could potentially resolve the issue. Searching Google for news stories about a hack on your brand can also tip you off to potential problems.
If there aren’t any software updates, try changing the passwords or performing factory resets on both the device and WiFi network. Unfortunately, if none of these steps work, the problem may be with the manufacturer itself, in which case you aren’t left with many options but to wait for a software update.
As scary as this stuff sounds, there’s no need to swear off smart homes; you should still feel comfortable using smart devices as long as you follow some best practices. Ashkenazi put it to us like this: “Some security researchers that will tell you, ‘Don’t use anything.’ But I don’t believe that. Because a lot of these connected devices do make our lives easier. You just have to find the balance.”