This article was first published Friday Dec. 2, 2022 in my weekly newsletter.
This week we learned that Anker, the company behind the Eufy brand of connected devices, actively lied about serious security flaws in its smart home cameras. In the meantime, I spent the last few days immersed in discussions about privacy and cybersecurity.
So I figured it’s probably a good time to explain what I do to protect my home network and how I think about the risks of using various connected devices in my day-to-day life. Feel free to take any of this for your own use, and to ask questions (or tell me about flaws in my thinking) at stacey at staceyhigginbotham dot com.
I get a lot of questions about how secure particular devices are, usually from someone who wants to buy a connected gadget and is worried about it getting “hacked.” If the device is a camera, the asker usually wants to make sure that it won’t be used to spy on them inside their home. And if it’s something like a smart plug, they are mostly worried about a bad actor controlling the device over the internet — think unlocking a connected door lock or turning a lamp on or off using a vulnerable smart plug.
Few of them are worried that their devices will become part of a botnet or that a device might be used as an entry point into the network and then as a way to deliver ransomware to a personal computer or exfiltrate data. But the first scenario is the most likely result of a vulnerable device being found on the network. The second scenario is the one I’d be most concerned about. This is partly because I don’t have cameras inside my home.
So for those of you worried about your cybersecurity, I’d suggest starting by assessing your risk profile and getting a general sense of which “hacks” are most common. Most of us have a pretty low risk profile. We’re not government employees at top secret agencies or engineers at Apple designing competitive hardware. Those people are incredibly likely to be hacked by people who have the time and money to target them.
But for most of us, the biggest “hacks” to worry about are those that are one-to-many and those that are so easy and public that anyone can spend a few minutes and gain access to our devices. With that in mind, I will also stop using the word “hack” indiscriminately because many events that are reported as hacks of smart home devices are really just some lazy stranger logging in and taking over a device because they found someone’s credentials on a website somewhere (likely as a result of an actual hack) or they guessed that their password was 1234.
So to avoid these lazy stranger hacks, the advice I have is twofold. First, use multifactor security on important devices such as cameras and Wi-Fi door locks. Second, use unique passwords for your connected devices. That way, when your grocery store loses your password and email, those credentials won’t work to access your connected camera. If someone does get the passwords, with MFA turned on, they have a difficult step to overcome to control the device.
One-to-many hacks are those in which a bad actor can get access to a device remotely by taking advantage of a vulnerability they’ve found. The bad actor may have developed the vulnerability themselves or they may have found it online in a forum. When I read about new vulnerabilities, I am looking for those that can be taken advantage of remotely, without needing physical access to a device; those that allow for physical control or access to data collected by the device; and those that can change the software on the device (like add malware or exfiltrate data).
Notably, a vulnerability can be as complex as malware or it can merely be someone realizing that if they type in a certain number and go to a website, they can see a camera feed. The Eufy security camera issue is one example, because it’s a one-to-many vulnerability that can share access to hugely private data (since the device is a security camera.) This is what cybersecurity folks think about when trying to assess how much effort to put into protecting a device or mitigating a vulnerability. The Eufy flaws are a big deal.
It’s hard, as a normal person, to think this way. But doing so is becoming ever more important, especially if you want to fill your home with connected devices.
Here’s how I apply this thinking in my day-to-day life.
I use multifactor authentication (MFA) on any device that has a camera or takes highly personal data. If the vendor of a camera doesn’t offer MFA, then I don’t buy it. Also, before I buy any connected device, I run a quick search on the brand to see how it has handled prior security issues. Does it patch vulnerabilities? Sue the person who found it? The first is good. The second in terrible.
I also look for features such as encryption, especially of data as it travels from the device to the cloud, and ideally once the data is in the cloud. When it comes to encryption, more is better. Even something as simple as a light bulb turning on or off can be an indicator of whether or not someone is at home and what room they are in. I can track my husband’s showers by looking at the humidity data coming from the air quality monitor in our room.
Once I bring a device home, I make sure that I can change the password and that there are no physical reset buttons that someone can easily access. Then I hook it up. Once a device is on the network, things get fun. Here’s where I advocate for an extra layer of awareness, especially as your threat model increases and as you add more devices.
This is also where services such as Eero’s security subscription, Comcast’s Xfinity xFi Advanced Security, or physical devices such as Firewalla or Everything Set come in. I strongly advocate for some type of network monitoring as you add more devices because the more you add, the more places there are for someone to access your network. (The security industry calls this a larger attack surface, but I can’t think of my home in terms of an attack surface and feel cozy.) I’ve played with most of the mentioned services and a few more, so look for more reviews and conversations about them in the coming weeks.
The moment your data leaves your network and goes to the cloud, it’s game over (and that also means your device will be an expensive doorstop when, not if, the cloud backend is discontinued or put behind an expensive subscription plan. That’s why we need to move to fully self-hosted solutions like HomeAssistant.
In case anyone else comes here from their news feed…
Ignore the entire article.
Use separate network / vlan for the IoT devices so they can’t connect to your lan and they have limited / no access to the internet.
I do like the idea of using a separate network altogether for IOT devices: we do that at our home. But these days many IOT devices require internet access, whether it’s a platform requirement, as with Samsung SmartThings or Tuya, or for a voice assistant or camera system. And any system that allows control, alerts, or camera viewing while you are out of the building will likely have an internet connection of some kind.
If you choose to use one of those options then even with a separate network you may still want to take extra security steps if only to avoid your devices becoming part of a hostile botnet.
So as always, different things will work for different people.
Easy, don’t buy anything connected. Everything in my smarthome is not connected to the internet.
Many devices (like Tuya) can be flashed with tasmota for example, making it not cloud connected.
These answers ^^
Plus collecting data and automating on your local, segmented network as much as possible. Devices that support mqtt for example, with a local broker.