On the most recent IoT Podcast, Barry called in with a security question. He currently segments his home network to keep IoT devices separate from regular internet usage. But he’s concerned about security because each smart home device requires its own separate account. What if one of them gets hacked?
First off, the network approach is a smart one here. If a smart device or the credentials for it are hacked, access to everything on his network is limited. So that’s a good line of defense.
What about all of those device accounts though?
This is an unfortunate situation in today’s smart home but it is the way most devices work today. Hopefully, CHIP or some other initiative will change this in the future.
But now when you set up a Wyze camera, a Philips Hue bridge, a Nest doorbell, whatever device you have, you typically have to create an account to use it. And if you consolidate device controls to a smart home hub or smart speaker, you generally have to link those accounts to the hub or speaker through some authorization process.
Sometimes that’s done through a passwordless system such as OAuth and sometimes not: In the latter case you’re actually giving your device account credentials to a third-party.
In either case, you’re relying on the device makers and those third parties to secure your credentials, your information and their databases, just as you do with your email account and your email provider, for example.
For this reason, we tend to recommend well known brands that haven’t had security breaches or if they have, mitigate them quickly and with full transparency. Put another way: If you come across a smart device from a brand you’ve never heard of, either research their security practices and history, or steer clear of them, at least for some time.
Also, try to use devices from companies that offer, or better yet require, a solid two-factor authentication (2FA) solution for the device accounts. Using SMS for 2FA is better than nothing, but the preferred solution is using an authentication application or a 2FA hardware key for stronger security.
The last recommendation we have is super important and something that every smart home owner should be practicing: Use a different password for each of your smart home device accounts. Yes, this can be a pain, however, there are excellent password manager applications to help manage all of these different sets of credentials.
The main reason for doing this is a worst case situation. If, for example, the credentials of just one smart home device are compromised, you’ve limited the access to just that device. On the other hand, if all of your device credentials are the same, you run the risk of providing access to all of them.
This is another good reason to never use your home network password for any other devices too: Once a hacker has access to your network, you’ve potentially given them access to your smart devices and everything else such as internet browsing history, any unencrypted transactions and more.
To hear Barry’s question in full, as well as our discussion on the topic, tune in to the IoT Podcast below:
Something I would LOVE to see in IoT device reviews is an assessment of control method. Most devices tell you they can be used with Alexa/Google/Apple, but it would be great to know whether control of the device *requires* the manufacturer’s cloud service, or (ideally!) that the device can be controlled directly with no account required.
The Home Assistant application nicely rates the “IoT Class” for it’s device integrations as one of “cloud polling”, “cloud push”, “local polling” or “local push”. A device that doesn’t ever need to talk with the manufacturers’ cloud can help minimize its vulnerability, so now I try to go only with devices whose IoT Class rating is “local”.
(There are devices that allow local control, but still require a manufacturer’s cloud account to activate/configure them — that’s still better than cloud control)