Your Smart Home May Not Be As Secure As You Think.
Smart home devices can simplify many of your daily tasks: thanks to internet connectivity and simple automation features, you may never have to carry house keys, turn off lights, or touch the thermostat. However, all this convenience comes at a price, as smart technology is vulnerable to cyberattacks, putting your personal data and privacy at risk.
Here’s what you need to know to keep your smart home secure.
Is your smart home secure?
The short answer: no, by default. Smart homes are vulnerable on multiple levels: from the devices themselves and your home network to physical endpoints like your phone that access and control your Internet of Things (IoT).
First, IoT devices may have weak built-in security protocols or lack clear instructions for locking them from factory settings, making them vulnerable to hackers who don’t have to go to great lengths to access your data or spy on you. Wi-Fi routers and smart home devices often have default credentials that are publicly accessible and therefore easily hacked. Data shows that the vast majority of users have never changed their router’s admin password or altered its factory settings. If your home network isn’t secure, nothing connected to it can be considered secure either.
Smart devices can also be integrated into botnets, allowing attackers to carry out malicious activities such as taking over accounts and distributing malware through your home network. A recent example of this was the BADBOX 2.0 campaign , which targeted counterfeit consumer electronics manufactured in China.
Bill Budington, senior technical fellow at the Electronic Frontier Foundation (EFF), notes that the digital divide could increase risk for some consumers, who may seek cheaper devices from low-cost manufacturers that have weaker security and face far less reputational damage if vulnerabilities are discovered than companies like Amazon.
Finally, security can be compromised if your physical devices fall into the hands of criminals. For example, if you control your smart home using apps on your phone, a criminal could gain access to it if your phone is lost, stolen, or hacked.
Smart homes may pose a privacy risk
Unsecured smart home devices can also compromise your privacy (and potentially your safety). Internet-connected cameras, from baby monitors to pet cams, are vulnerable to hacking , and attackers can use them to spy on you and your home. This could include following and tracking your movements, “shoulder snooping” to collect sensitive personal information, recording audio and video of your activities, and distributing or selling live streams on the dark web. ( In 2018, a hacker reportedly verbally threatened a four-month-old baby through a Nest baby monitor.)
Your smart devices likely collect a lot of information about you during their daily activities, all of which can be exploited by criminals. For example, your robot vacuum cleaner creates and uses a map of your home to know where to go, and usage patterns of various automated systems can be used to track your movements and confirm your absence.
There’s also the possibility that your smart home devices are exposing your data to risks you’re unaware of and haven’t explicitly consented to. A 2023 report by security experts , prepared by the nonprofit IMDEA Networks and Northeastern University, shows that Internet of Things devices can inadvertently reveal personal data, which can be collected and sold to companies engaged in “surveillance capitalism.” Researchers have found that spyware apps and advertisers are exploiting local network protocols to access sensitive data, facilitating user profiling.
No security standards for smart homes
There is no single set of cybersecurity standards that smart home companies must adhere to, nor a convenient centralized resource where users can find this information. Earlier this year, in the final weeks of Biden’s presidency, the Federal Communications Commission launched the Cyber Trust Mark, a voluntary device labeling program to incentivize manufacturers to improve security and help consumers buy with confidence. However, the agency later launched an investigation into the program, leading to its delay.
For now, consumers are left to conduct their own due diligence. In 2017, the nonprofit Mozilla Foundation created a resource called *Privacy Not Included , which reviews products that meet “minimum security standards” and analyzes any privacy concerns. The site doesn’t appear to have been updated in the last year, but it still provides detailed information on the privacy and security records of well-known smart home system manufacturers, such as Amazon, Google, Wyze, and Ecobee.
Otherwise, Budington suggests simply researching the device you’re considering (and the company that makes it) before purchasing to see if researchers or users have reported any issues.
How to improve smart home security
Securing your smart home starts with protecting your internet connection through your router. We have a detailed guide to securing your home network , but at a minimum, you should change all default router settings—admin usernames, passwords, and network names—to unique, non-identifiable settings, and enable encryption in your wireless security settings. Regularly check for updates that contain patches for security vulnerabilities, and scan devices connected to your network to identify suspicious devices and remove those you no longer use.
You can add another layer of security by setting up a guest network specifically for your IoT devices. This way, if your smart devices are hacked, everything connected to your main network (such as computers and phones with access to your personal and financial accounts) will be protected.
According to Budington, one way to further reduce vulnerability is to reduce the number of devices with their own wireless connections by connecting them through a secure centralized hub. Home Assistant is a self-hosted solution that can be installed on a Raspberry Pi or a regular PC, or used with the ready-to-use Home Assistant Green. Hubitat also provides local control over device data and integrates with various products, including those compatible with ZigBee, Z-Wave, and Matter standards.
Once your network is secured, you’ll need to perform similar steps for each of your IoT devices. Change default usernames and passwords to unique and secure alternatives and enable all available security features, such as two-factor authentication and encryption, in the device settings. Ensure your devices (and all apps used to manage them) receive automatic firmware updates.
You should also review your device’s privacy settings , removing permissions that aren’t necessary for its operation and disabling features you won’t use. For example, you might want to disable location tracking on your smart thermostat and voice control for devices other than your voice assistant.
Finally, while we’ve focused primarily on digital threats, your smart home isn’t immune to physical attacks. Be aware of possible ways to access your devices, such as devices installed outside your home, and ensure phones, tablets, and apps that control IoT devices are protected with a PIN or biometric authentication.
Remember that, by its very nature, anything connected to the internet is at least somewhat vulnerable to attack. You’ll need to evaluate your risk appetite and weigh the convenience of using a smart device against the possibility of it being hacked, and with it, your privacy. You may find that you simply don’t need to automate some things, so you might want to opt for a “dumb” option.