How to Build a Smart Home That's Actually Secure

By David Nield on at

The number of smart connected devices in our homes is growing at a rapid rate, and that means more opportunities for unwelcome visitors to access your devices and your network. Whether you’ve got one smart home device or one hundred, here’s what to do to make sure your setup is as safe and secure as it can be.

Image: Luma

With such a vast number of smart home devices on the market now, we can’t dig too deep into the specifics of each gadget, but the documentation that came with your gear should help you out—if there’s no help guide in the box check on the manufacturer’s website.

Update your gadgets

Unlike Windows or macOS, most of your smart home gadgets aren’t going to go and seek out updates on the web and then automatically install them for you—a lot of your gear might not actually be connected to the web in that way at all.

Ultimately the onus is on you to go and check for updates to your devices. The accompanying smartphone app (if there is one) and the manufacturer’s website are good places to start. Updates probably won’t be released on a particularly regular basis, but if a security exploit is discovered, you’ll want the patch in place as soon as possible.

Image: F-Secure

Applying an update might be fiddly, depending on your device—you might have to connect it up to a computer, for example—but the onboard software or firmware is your first line of defence, so you want it to be as current as possible.

That update routine should extend to all of the computers and devices on your network of course, as well as your router, which controls access to all the web-enabled gadgets in your home—again, keep your eye on the router manufacturer website for new downloads, where you should find both the latest patches and more detailed instructions for how to apply them.

Check the settings for each of your devices

You’ll no doubt just want to just set and forget your smart home gear, whether we’re talking lights you can control from your phone or fridges that know when you’re out of milk, but take the time to go through all the settings on your devices and make sure you know what each of them do.

If a device doesn’t really need access to the web, disable the connection, if you can. If a password is required to get into it, don’t choose the same one you use for everything else, don’t pick something that’s easy to guess, and don’t leave the default password (set by the manufacturer) password in place. Many smart home devices will be very straightforward to configure, so it shouldn’t take you long to work through all the gear you’ve set up and do an audit.

Image: Gizmodo

This extends to computers and smartphones as well: Any of the gadgets you have in your home are potentially a way into the network and your smart home setup. Practice good Wi-Fi security, which is again mostly about keeping software up to date, making sure competent security software is installed, and choosing strong and unique passwords that are difficult for anyone else to hack.

Enable two-step verification on your accounts, whether directly related to your smart home or not, and pay particular attention to apps that you use to control or get reports from the devices you’ve set up—like an email address that security camera snaps are sent to, for example. If attackers get access to this, they suddenly know whether you’re at home or away, and may even be able to control the camera from your inbox.

Buy smart to begin with

Sticking with the big names pays off when it comes to smart home gear, not because kit from the likes of Samsung and LG are invulnerable to hacking attempts, but because at least you’ll know something will get done if a flaw is exposed. If you’ve bought your smart security monitor from an obscure foreign company without a website to its name, there’s not much you can do if something goes wrong.

As much as we like to see innovative tech gadgets appear on sites such as Kickstarter and Indiegogo, be careful about buying anything to add to your smart home without carrying out due diligence on the company behind it and the security measures put in place. If the team behind the hardware goes bust, you could be left with a not very useful and not very secure smart lock or voice-activated garage door on your hands.

You should be fine with Nest devices. The company is owned and managed by Google. Image: Nest

With that in mind we’d recommend getting all your smart home gear from the same particular stable, keeping the number of platforms you’re incorporating and the number of platforms that can potentially get exposed down to a minimum: Whether you want your home controlled by Samsung SmartThings, Apple HomeKit, or Amazon Alexa, pick a system and get products that fit in with it.

All this buying advice might be a bit late if you’ve already got an extensive smart home setup in place, but you can still run BullGuard’s Internet of Things Scanner, which will tell you if any of your gadgets appear on the Shodan search engine. Shodan scans the internet for publically accessible devices, and if your new smart coffee maker is on it it could become a target for hackers. The check only takes a couple of minutes, and if something does show up, take it offline and see if any updates are available for it.

Focus on your router

Your router acts as the gateway into everything that gets online in your home, and that includes smart home gear, so make sure that you’ve done everything you need to in order to keep your router as locked down as possible: Make sure it’s running the latest firmware upgrades, change the default username and password to only one you know, and only let devices connect to the web if they absolutely have to.

If you have an Apple TV plugged into your television, for example, maybe the Smart TV itself doesn’t have to be connected to the web, at least not all the time—you can do all your Netflixing and YouTubing through the Apple TV instead. Be wary of anything that asks for special permission to edit your router’s settings or bypass its default configuration, because you shouldn’t do this without a very good reason. Your router may well give you a list of devices connected to the internet on one of its settings screens, so you can kick off gadgets from here too.

Image: Dojo

The good news is the situation is getting better—new routers like the Luma ($149/£106) and the F-Secure Sense (£169) are being built with IoT and smart home security in mind, blocking off a lot of the common routes used by malware and hackers, and locking down any gadgets that appear with questionable security defaults. You might want to consider upgrading your router or asking your Internet Service Provider to upgrade it if the router’s more than a few years old.

There are even dedicated devices now that claim to sniff out smart home vulnerabilities for you, if you don’t mind paying some extra cash. The Bitdefender Box ($199.99/£142), Cujo Smart Firewall ($249/£177) (add another $40/£28 if you're shipping to the UK) and BullGuard Dojo ($129.99/£92) boxes all claim to watch out for suspicious activity on your smart home network and let you manage devices easily from your phone. Unfortunately, these are claims by the manufacturers and there hasn’t been much third-party testing to prove their abilities one way or the other. So you’re welcome to invest, but do so with caution.

For now the only truly, proven solution to protecting your devices is to keep the software updated, the devices protected by passwords, and those passwords secure.