Internet of Things (or IoT) devices have a notoriously bad reputation for security. As devices designed to have the smallest footprint possible (that is, to be tiny, low power, and cheap), manufacturers often resort (intentionally or not) to less-than-best security practices in order to lower their costs and maximize profits. This can be true of everything from smart home sensors, Wi-Fi-connected lightbulbs or smart home appliances. Especially if you're buying from a region of the world where you might have broader security concerns, it's best to take steps to keep these devices secure.

✕ Remove Ads

There are some practical considerations to these devices too, especially if you've got many of them. Depending on how they're set up, they can generate significant broadcast, unicast and multicast (BUM) traffic, which is addressed to every device on your network. This can, in some circumstances, slow down your home network and put extra load onto your router.

So here are a few tips (in no particular order) for setting up IoT devices on your home network safely and securely, ranging from ensuring they're well isolated to inspecting problematic devices yourself.

6 Place IoT devices on a separate VLAN

✕ Remove Ads

This one is probably the most essential recommendation for IoT security - logically isolate your devices from other traffic on your network. This prevents a malicious IoT devices from attacking other devices directly - i.e. acting as a jump box for a would be attacker to gain access to your network, or intercepting potentially unenecrypted traffic designed for your other devices. Giving a malicious actor access to your whole network opens you up to a huge range of attacks, so many that it's almost impossible to list let alone mitigate them all without simply isolating the device on your network.

Giving a malicious actor access to your whole network opens you up to a huge range of attacks, so many that it's almost impossible to list let alone mitigate them all without simply isolating the device on your network.

✕ Remove Ads

The typical way to do this is to set up VLANs - or Virtual LANs - to place IoT devices on. This way, traffic from your devices is separated from each other. VLANs are typically configured on your router, and the functions available to you will vary depending on which router you've got and how its configured. A good example of how to set it up can be found on this YouTube video.

5 Buy from reputable brands

Part of the problem with IoT devices is they're easy to produce, often white-label goods, and effectively blackboxes of functionality with little to no public documentation. This means that security researchers need to take a full black box (i.e. zero trust/knowledge) approach when testing these devices, which is expensive and time-consuming. The result of this, is that many white-label or smaller IoT brands aren't tested at all by professionals.

✕ Remove Ads

You could do some amount of testing yourself by monitoring the traffic coming into and out of a device to ensure basic security credentials, such as using HTTPs, and trying to inspect what kind of remote interactions the device is having, but this is far from foolproof and unlikely to be useful for everything past the worst offenders.

Hence, it's important to buy from a reputable brand, even if it costs a little bit more. Reputable manufacturers are also more likely (we'd hope) to maintain secure web-portals and provide regular software updates for your devices, which can help mitigate known vulnerabilities.

Related

5 reasons Home Assistant is the best addition to every smart home owner's NAS setup

Having trouble managing all your smart home gadgets? You might want to run an instance of Home Assistant on your NAS

4 Change default username and passwords

✕ Remove Ads

This one is an age-old recommendation, but one that plenty of people ignore the importance for IoT devices. Whether it's your router or lightbulb, it's important you change away from any default usernames and passwords. Default credentials can be more easily exploited if your devices are accessible to the internet or via another device on your network, allowing a potential attacker to traverse your network easily.

If you've got lots of devices, we recommend keeping your details in a password manager, and making use of randomized passwords to avoid repetition.

3 Enable two-factor authentication for online accounts

✕ Remove Ads

Many IoT devices come with cloud integration, allowing them to be remotely managed from an online account. You should treat these accounts as just as important as any others in your life, and ensure that they've got strong two-factor authentication enabled at all times. This prevents an attacker using a compromised cloud account or reused online password to potentially gain access onto your home network.

The concern here applies especially to devices with a big privacy impact if compromised -- for example, home cameras or internal security systems.

2 Disable IoT devices when not in use

One way to improve the security posture of your IoT devices somewhat is to power them down when not in use. This isn't strictly a mitigation, and arguably falls under a slight 'security through obscurity' assumption that less time connected to the internet means less chance of being hacked, but it's unlikely to hurt.

✕ Remove Ads

If you can, we'd suggest limiting access to your devices to certain times of the day via your router. If you're on holiday or planning to be away for a long time, then you could consider disabling some devices completely for that period.

1 Monitor your devices' traffic for outliers

If you've got a router that supports it, monitoring traffic from your devices is a great place to start with protecting your IoT devices. This might involve monitoring the ports a device is communicating on, the volume of traffic being sent to and from a device, whether your device is communicating with other devices on your network and the times when internet traffic being sent. A large volume of traffic at irregular times, or in random bursts of minutes or hours, could indicate that your device is exfiltrating some data from your network, or participating in malicious activity online (such as a botnet).

✕ Remove Ads

There's no hard and fast rule for how much traffic a device should be using, but uploading traffic is about the same as downloading, i.e. a streaming video device will use approximately 400Mb of data for a 480p video per hour. Devices with simple control functionality, like lightbulbs or smart lamps, should be using basically no internet traffic at all.

Your home security is important

If you're planning on setting up a smart-home, or bringing some IoT devices into your life, then consider the implications for your home cybersecurity. While it can seem far away, the consequences of poor home security can be massive. By taking a few simple steps, and being aware of the devices you're introducing to your network, you can massively improve your security posture and reduce your risks.

✕ Remove Ads