Create a strong password
Creating unique passwords is especially important when you consider the number of devices that may be in an IoT household (17 on average, according to market researcher Telsyte).
Each type of device usually comes with its own app that you either need to create a new account for, or log in to with an existing account – such as one you use for Google products or Facebook.
You also have your router and Wi-Fi passwords to consider. It only takes one weak link to gain access to your home network.
Don't use single dictionary words followed by a number or symbol. If you use two words, make them unrelated and not publicly-available information (no pet or family names).
A useful technique is to turn a memorable phrase it into an acronym. So "A bird in the hand is worth two in the bush" might become "Abinhiw2itb". Easy to remember, but difficult to crack.
Don't use the same password for multiple accounts. If you write them down in a book, make sure it's locked away from prying eyes.
Better yet, use password management software, which can store unlimited unique passwords, create new ones and sync them between desktop and mobile devices.
Your home network's front door
Think of your router as your front door to the internet. You wouldn't leave your house open or unlocked night and day; nor should you neglect your internet doorway.
A secure router is the key to a secure home network.
Secure your Wi-Fi
Your router creates your home wireless network(s). It will usually give each network a default name (SSID) and password. Don't stick with your router's default name, which is often its make and model.
If people know the make and model they may be able to look up the default login and password and (if you haven't changed them) get into your home network, from where they can access your other devices.
When changing your Wi-Fi network name, avoid personal details such as your family name or address. It should be a name that you can easily identify on a list of local networks that come up when you want to connect a device such as a computer or mobile, but not one that tells everybody else who you are and what equipment you're using.
People often change their network name to something they find humorous, such as: "“Hands off, buddy", "Get your own Wi-Fi", or "Tell my Wi-Fi love her". Be creative. Or not; it's up to you. Just don't be informative.
Likewise, set the network password to something unique. You can do this for each wireless network created by your router. For example, if you have a dual-band router (which includes 2.4GHz and 5GHz bands), you could have different names and passwords for each one.
Also choose the highest level of encryption, WPA2 (soon to be replaced by WPA3). If your router only supports the earlier WPA or WEP protocol, it's time to replace it.
Secure your router login
While your Wi-Fi network name and password let you join your devices to the network, your router's login details are what you use to change settings within the router itself. Anybody who knows these can get full control of your router.
You should be able to access your router's menu on the device itself – usually as a sticker on the underside – or in the manual. Jump onto a computer and follow the steps to log in to the router itself, then change the user/admin name (if possible) and password.
It's common for routers to have the login name as "admin" and sometimes they don't let you change this. But it's vital you change the password, which on some models may be as simple as or "1234", "password" or simply blank.
Also check that your router's built-in firewall has been enabled. A firewall polices your network to prevent unauthorised traffic entering or leaving.
Check for unknown devices
Once you log in to your router's settings menu, you should be able to check which devices are connected to your home network, whether it be via Wi-Fi or ethernet cable.
If there are any you don't recognise, change your Wi-Fi network password. This won't log out anything that's connected via a cable, but it will force all Wi-Fi devices to sign back in with the new credentials.
There should be an option to check for firmware updates within your router settings.
Firmware is the software built into the router that controls how it works. These updates may include vital security measures. If you find any firmware updates pending, install them immediately.
Set your router to do this automatically, or make sure you do a manual check every few months.
Likewise, many IoT devices don't update automatically, so you'll have to manually check for updates.
Quarantine your IoT devices
You can protect your main network against IoT threats by setting up a separate home sub-network just for your IoT devices.
An easy way to do this is to put them on your router's guest network (most modern routers have this feature).
This lets people such as friends get temporary access to your internet connection, but doesn't let them see your local network. Some devices even let you set time limits for guests.
Putting IoT devices on a guest network keeps them isolated. This way, if anybody does manage to access an IoT device through a backdoor or other hacking exploit, they can’t leapfrog to any of your important devices, such as your computer or smartphones.
Some routers also have a guest network feature called AP isolation, which stops devices on a guest network talking to each other.
Security tips for Internet of Things devices
- Create a unique login and password for every IoT device's online account and apps. Don't share the same details between devices.
- Don't connect if you don't have to. While some IoT devices need the internet to work, others don't. For example, if you don't use your TV's built-in smart features (maybe you use a media device, such as a Chromecast, instead), don't connect it to your home network.
- Update when prompted. Like your router, updates to devices and their apps have important security measures.
- Use VPN security software when on public Wi-Fi. If you don't, it's relatively easy for cyber snoops to see what you're doing and possibly even install malicious software (malware) on your devices. If, for example, you happen to check one of your IoT smartphone apps while they're snooping on your Wi-Fi connection, you've potentially unlocked that backdoor into your home network.
Disable IoT features you don't use
- Many IoT devices let you control them from anywhere. If you only need to use them on your home Wi-Fi connection, disable remote access.
- Many smart speakers have Bluetooth in addition to Wi-Fi. If you don't use it, turn it off (if there's the option to do so).
- Some modern TVs come with voice input, but this feature goes unused even in voice-controlled households where smart assistants such as Google Assistant, Siri or Alexa run the show. But an active mic can also be used to listen in on your conversations if compromised
- You can find cameras in the darndest places, such as on some smart vacuums, Wi-Fi-controlled toys, and smart screens. Older Xbox One gaming consoles also came with the Kinect motion sensing camera, which isn't necessary for it to function and is not longer supported by Microsoft.
- Physical feature disabling is best. If a device has a physical mute button for the microphone or a lens cover for the camera, make use of them.
Do your research
Look up products before you buy to see if serious vulnerabilities have been discovered or if their manufacturer has stopped supporting them.
While IoT is still a new industry, it's been around long enough that some gadgets have stopped receiving security updates. Avoid these products wherever possible.