How to Keep Your Smart Home Safe From Hackers

Updated on 22nd Nov 2020 17:56 in General, IoT, Smart

A smart home is really just the common term for a house that has a multitude of network-connected devices. They can talk to each other and automatically react to certain situations as you program them. As great as this technology is, there are certainly some problems that come along with the benefits. The biggest problem tends to be security, as the more connected a home is, the more dangerous it is if an unauthorized entity gains access.

Cybersecurity

Disclaimer: This post contains affiliate links. As an Amazon Associate, I earn from qualifying purchases.

How cybersecurity is impacted in a smart home
The effect of the unknown
Cloud-based smart devices
What can hackers do with my smart home?
Why target smart home devices?
How to make your smart home secure

How cybersecurity is impacted in a smart home

The trend is to make more and more everyday objects smart, which is typically seen as a good thing as it makes our lives easier. In fact, we talk a lot about ways to make your home smarter on this site, and for a good reason! A properly set up smart home can make your life easier in several ways: either by saving energy with automations, providing reminders, or taking care of things, you'd rather not think about. The primary impact with all these gadgets appearing left and right is that there is certainly a lack of awareness about the potential security implications they bring about. Is the new smart TV trustworthy? What about the smart speaker?

Normally, a home will have a few vulnerable devices such as computers or smartphones, but in a smart home, there are potentially hundreds. In cybersecurity, this is called the "Attack Surface", which is used to describe the number of ways hackers could get in. "Get in" is a plain English way of saying "Attack Vector", which is commonly used when talking about the way a hacker obtained access to something they shouldn't have. Making your attack surface bigger is obviously a problem, and is exactly what happens every time you buy a new smart device. This is why it's important to take steps to secure your home, as otherwise, every internet-connected device becomes a point of entry.

The effect of the unknown

A common practice in the smart home industry is to mix and match products from various vendors to optimize financial savings. It's obviously logical to save money, but it's important to do so in a way that will not end up costing more down the line as a result of losses from an attack. The outcome of this practice is that many will end up with devices from relatively unknown manufacturers scattered around their homes. These cheaper products could be discounted because they ignored security practices during development, or because the company benefits from the information it could provide on the users. Whatever the reason may be, it's important to consider who built the devices you plan on buying and what interests they may have.

Despite the problematic nature of this, it's unlikely that a manufacturer will purposely compromise their own products. What's more likely is that their systems get hacked and that a third party gains access to your information, or worse - direct control of your smart devices. While that may seem like a nightmare scenario, the reality is that with so many products being controlled by the cloud, it really could happen. If someone gains access to the servers, it won't matter how secure your home is because the server can send commands to your devices that will just be executed without question. As a result of all of this, it's typically better to stay with well-known brands that have an interest in taking security seriously - not just making the cheapest product possible.

Unknown manufacturers could leave security holes — Unknown manufacturers could have all sorts of problems

Cloud-based smart devices

I have an entire article dedicated to this topic, but the summary is that cloud systems you don't control should at least make you uncomfortable. The idea is simple: you buy a product at the store, and once you connect it to the internet, it just works! While the benefits sound great, these devices almost always come at the cost of your home's security. You have no control over what the cloud system is doing - you rely completely on the company to handle things properly. Even though cloud systems are trusted in many situations, they tend to be ones from massive companies like Apple, Microsoft, Sony, and others of the sort.

As you may have noticed, Sony isn't on that list by accident. In 2011, they suffered a huge data breach on their Playstation Network in which approximately 77 million accounts were compromised. In another case, Equifax (one of the largest credit bureaus in the US) suffered a massive data breach that exposed around 147.9 million customers. All this is to say that if big companies can be hacked, smaller ones certainly can too. The important thing to realize with any cloud service is that the trust is completely in the party running the service, as there is next to nothing you can do to prevent such a breach.

What can hackers do with my smart home?

Alright, so we understand that there are quite a few ways for hackers to gain access to your home, but what are they going to do and should you even be worried? The answer to the latter is probably yes, you should be worried depending on how much you value your information. As an example, hackers could gain access to your smart locks and sell your entry codes to burglars, or they could find out exactly when you are away from home to plan a robbery. They could also potentially obtain your financial information via a hacked smart speaker that may be connected to e-commerce accounts.

A little known fact is that any device on your network can see a surprising amount of data being sent by other computers, such as a bank transaction as an example. They could hack a smart plug and use it to record sensitive information transmitted over an insecure connection (always use TLS!). In a less personal way, they could compromise all of your smart devices and use them as part of a botnet, which is the name given to a large number of computers that are under the control of a hacker group. They can be used to launch massive attacks to take down websites and all sorts of internet systems.

It gets worse, even though you aren't the direct target of these attacks, your equipment will be part of the attack and will possibly use large amounts of bandwidth in doing so. That could significantly slow down your internet connection and in a worst-case scenario, even run up a large bill for data capped plans. Trust me, you don't want to be unwillingly a part of a botnet. Your devices could behave normally and suddenly start acting strange as they begin to focus on flooding the network with data packets in an attempt to take down a website. What's worse? In some places, you, as the owner of the internet plan, are responsible for any nefarious acts performed on it.

Why target smart home devices?

At this point, you may be wondering: why are smart home devices picked on so much? The reason is quite simple actually - most people aren't experts in IT or cybersecurity, so any digital system they run is going to be easier to hack than their commercial counterparts. A large number of products will ship with a default password that is rarely changed, giving an easy way in for anyone who isn't authorized. Another reason is that as we mentioned earlier, security is not a priority for manufacturers, leading to inevitable security holes. They would much rather reduce cost and add new features to entice customers as security is very rarely a selling point people care about.

There's also the size of the reward for breaking smart home products. Typically, it will take hackers a long time to find a suitable hole in a given system that they can exploit. The reason everything isn't constantly hacked is that most systems are different enough that what worked on one, won't work on another. This isn't really the case with smart homes, tons of manufacturers use the same hardware with slightly different software. Even when they are not similar, the payoff for hacking a particular smart bulb, as an example, is huge. Everyone who has that bulb is now vulnerable, which could be hundreds of thousands or even millions of people.

How to make your smart home secure

So how do you make a smart home secure if they are so many ways to attack them? The first step is always to start at the first point of any sort of hack, your router. In many ways, the router is like your front door. However, unlike the front door, the router opens directly onto a highway that every person in the world has access to. It is for that reason that all security improvements must start here. Many will use the router provided by their ISP, but these are often not ideal or even secure in some cases. If you value security (and performance), consider getting a different router from one of the many vendors - I recommend Ubiquiti (link to Amazon).

The other important thing to keep in mind is who you are buying this stuff from. There are a few key items you should check before committing to a manufacturer:

What is their privacy policy? (does it align with your expectations?)
Do they push remote updates? (automatic updates can be dangerous)
How do they store your data? (data storage is especially important when handling sensitive information)

All of these are great ways to take the first steps towards securing your home. Here are a few more that will put you ahead of the pack when it comes to cybersecurity.

Change all default passwords

There is simply no excuse for this anymore. If your login details are "admin" "admin", go change them immediately. The first line of attack is to walk right through the front door by using the keys. When you leave the default password, you are effectively giving hackers the keys to your house. For bonus points, you can also change the username. Anything with "admin" or "administrator" will be the first thing hackers try, right after the password listed in the manual.

Use strong WiFi encryption

Putting a password on your WiFi network may seem annoying, but using strong encryption is key to maintaining a secure network. If the network has no password, anyone can see the data flying between your devices and your router, as the transmissions won't be encrypted. Ideally, you would use a strong type of encryption, such as WPA2. Keep in mind that even that has been cracked and that it is technically possible for someone to hack it. Despite the possibility, it's unlikely anyone is going to crack your network and having some form of encryption is always better than nothing.

Use a guest network

Guest networks don't make sense to many people: both networks can access the internet, so why bother? The reason is actually to keep guests away from critical things, such as your smart devices. If no one but the people who live in your house has access to the network the smart devices are on, they are much more secure from malware which could be on a guest's laptop or phone. Most modern routers will support a guest network, and if yours doesn't, you may want to consider getting a new one for the reasons listed previously.

Use a strong WiFi password

The password could really be anything but stay away from common options such as "password" or "123456" (both on the top 100 password list). It doesn't need to be impossible to understand, but try to find something that isn't a word in the dictionary and involves some numbers to make it harder to brute force. As brute-forcing is when an attacker tries all possible combinations until one works, you want yours to be difficult to find (not a real word and pretty long).

Update device software

Everyone knows it's a pain to update the software, especially when it doesn't bring any cool new features. At the end of the day, companies often release updates to patch security holes, even if they don't specify it in the changelog. That's why it's so important to update the software of your network-connected devices, as otherwise you could be hit by an exploit that was fixed by the company long before it happened.

Avoid cloud-based products

If possible, stick with devices that use a local hub to function, such as HomeKit, Z-Wave, Zigbee, or one of the many others. Check out my list of smart home protocols to find one that works offline! Once a device needs the internet to function, you are forced to allow it through your firewall, providing a nice entry for potential hackers. By using a hub, there will only be one point of entry if remote access is enabled, as opposed to one for every device on the network.

Use a separate network for smart devices

This point is different than setting up a guest network because here we are putting the smart devices on a different network, not the users. The idea is to keep them away from the internet (and other computers) by placing them on a network that only has local connections. Hubs will then be connected to the internet while the network the smart devices are on can only connect to other devices and the hub. There is now only one way in, through the hub. Reducing your attack surface always makes it easier to manage security.