What you can do to protect yourself
1. Do your research
Before bringing any device into your home, do your research using independent third-party resources such as IT security organisation, AVTest’s dedicated IoT site. This means that at the very least you will be aware of the threats that exist, and at worst, you may decide to avoid that device. But, more than likely, you’ll land somewhere in between: doing what you can to manage the threat according to your specific situation.
2. Be wary of zero security incidents
Any legitimate IT company is transparent about its security incidents and rapidly tells users what it has done to repair any damage and stop the threat. Security vulnerabilities are inevitable, so it is reassuring to see that a company is serious about patching them quickly. Take a look at Cisco or Microsoft’s security advisory pages for good examples. A company that doesn’t do this either doesn’t know about its security issues and attacks, or is not being transparent about them, neither of which bode well for the safety of the IoT device you are bringing into your home.
3. Ensure the device’s firmware is up to date
Not all IoT devices allow you to update their firmware, which would allow you to patch any known vulnerabilities as they are discovered. If the device does not allow updates, you should consider whether you want it in your home and connected to your network. And if the firmware does update, you should, just as with any other IT service, keep it up to date. Advanced users might want to replace the factory-installed firmware in devices like Sonoff smart switches due to concerns about these home automation devices transferring unencrypted data back to servers in China.
4. Disable universal plug and play (UPnP)
As I mentioned in my guide to boosting your home WiFi performance, UPnP is incredibly useful, but it’s often just not viable in the real world, where you can’t be sure all the devices connecting to your network are secure and safe. For instance, the CallStranger vulnerability mentioned above operates via a UPnP callback. To add insult to injury, depending on your router, UPnP might take a while to patch, or it might even not be possible to patch. The best option is to disable UPnP on your WiFi router. This doesn’t mean you won’t be able to use these smart IoT devices, but you might have to spend a bit of time setting up manual exceptions, port forwards or NAT (network address translation) rules. You can Google how to do this, for instance, here and here are instructions on how to set up a static IP address for your Xbox One, and so avoid activating UPnP.
5. Strong passwords and multi-factor authentication
As ever, updated, strong passwords are your first line of defence, with multi-factor authentication adding a double-lock to your security. Also, with shared IoT devices, it’s better to set up unique profiles for every user, rather than sharing a common set of usernames and passwords.