The New Oil logo Dark Mode

Cybersecurity: The Internet of Things

If you're reading this, I'm willing to bet that you have some kind of smart device in your possession. Maybe it's a smart TV or a Roku Stick. Maybe it's an Alexa or Google Home. Maybe it's a Nest Thermostat or a Ring doorbell. Once upon a time, I would've said that you should simply avoid these devices, however I think that we're moving into an age where that advice is antiquated. It's becoming harder and harder to escape the "Internet of Things," so rather than avoidance I want to use this section to teach you hardening.

But Still, Avoidance

Having said that, let's start with avoidance. Obviously none of us really needs any of the modern "creature comforts" to survive, so I'm not going to be the curmudgeonly old man decrying kids and their newfangled gadgets. However, it is important that we realize that each one of these devices we bring into our lives puts us at risk, both in terms of privacy and security. The smart TV you purchase not only reports invasive usage statistics, but these devices also offer hackers a way into your home with things like lack of updates and default passwords. Yes, believe it or not, you can use a light bulb to access all the other devices on the network.

So again, while I'm not here to say "don't buy the smart device," I am here to ask "is it worth the risk?" Do you really need to know the second a package arrives at your doorstep? (First off, you should be using a PO Box instead of your home address, so no). Do you really need a fridge that tells you the milk has gone bad? Maybe if your nose doesn't work, but otherwise I'd say no. However, these answers vary from person to person. I can live just fine without TV, so a smart TV is definitely something I would rather pass on. Someone else may be a film buff and may find a lot of value out of a TV that can stream from dozens of services easily. There are no wrong answers here, but I do encourage you to first ask yourself if the value a smart device brings you is worth the privacy invasion and security risk that comes with it. If not, either find a dumb device or pass altogether. In my experience lower-end stores like Walmart still offer dumb devices, but there's also always the choice of a re-use market like Craigslist or Goodwill.

If You Must

If you decide that you want a smart device, or for some reason you are unable to locate a dumb version of the device, there's several key pieces of conventional wisdom that will help to dramatically increase your privacy and security while using said devices.

  • Make sure to change all default passwords and login information. Most devices - including routers - come with a default username and password. There are free databases all over the internet (and manuals) that disclose this information to anyone, meaning criminals and hackers have easy access to the admin privileges of those devices. Change the default password (and username, if possible) using a password manager to prevent easy access.
  • Go through every setting on your device and make sure that you have disabled all settings that share data and analytics.
  • Make sure all your devices are set to auto-update. If there is no auto-update option, set a reminder to periodically check for updates and install them when they become available.
  • Buy a router that supports "VLANs," which are virtual second networks. Without going into detail, putting two devices on separate VLANs (for example, a computer and a TV) makes the devices act and think as if they are in completely separate locations. The devices are completely isolated from each other on the network, so if one gets compromised the other is safe. Ideally you'll want to have all your IoT devices on one VLAN, then all your network devices (phones, laptops, etc) on another. IoT devices requiring network connectivity (such as smart TVs or assistants) can still be given network access through the router's settings.
  • Make sure to couple all this advice with other advice on this site (for example, use a forwarding email to set up your accounts and use strong passwords and two factor authentication on all accounts.