Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Taking Measure

Just a Standard Blog

7 Tips to Keep Your Smart Home Safer and More Private, From a NIST Cybersecurity Researcher

Julie Haney sits at a table in the NIST library with a laptop, looking at a smartphone in her hand.

NIST researcher Julie Haney studied people who have smart home devices and learned that participants had concerns about these devices but continued to use them out of convenience.

Credit: R. Wilson/NIST

From thermostats to baby monitors, “smart” or “connected” devices have become very common in many homes. In fact, it’s hard to find household items without connected features, as I learned when I recently shopped for a new washer and dryer.

With the convenience and fun of these tools comes potential security and privacy risks.

As the lead for NIST’s Human-Centered Cybersecurity Program, my goal is to encourage secure technology that protects people without burdening them.

As part of that effort, our team recently has worked to better understand how people think and feel about the security and privacy of smart home devices. This research is especially crucial since these devices are often placed in intimate areas of our homes, like a newborn’s nursery.

In a series of studies involving people with smart homes, we learned that our participants had several concerns about their devices but often still used them out of convenience. We also found that some people thought certain types of devices (such as smart thermostats) weren’t as important to protect — even though they really are! Finally, even participants who believed that security and privacy should be a priority were often confused about what to do to protect themselves and their devices.

The good news is you don’t have to swear off smart accessories to limit your risk. While nothing connected to the internet is completely secure, there are steps you can take to help protect yourself while still enjoying these products.

I use the practices below in my own home, and you can, too.

1. Plan Before You Buy

You should make an informed decision before you buy a smart home product. First, check with members of your household to see if they’re comfortable with the device. If it’s in your home, everyone should agree to its use.

Once you have buy-in from the people you live with, I suggest doing some market research. If you’re looking to buy a device, consider a few questions. Has that manufacturer or product had any privacy or security breaches or complaints recently? What security or privacy features does the device offer, and how can you configure those settings? These are questions you should consider before buying.

2. Enable Authentication

So, you’ve done your research and found a smart home device that fits your needs. Now, you’ll want to make sure you set up a secure way to access it. This is usually done through an app on your cellphone, tablet or computer. Some devices let you set up a password or PIN. A much better option is to use multi-factor authentication, which will help protect you if your password or PIN is exposed. For example, you might be able to verify your identity by using biometric methods, such as facial recognition or a fingerprint, that are already set up on your phone or tablet.

Inside a modern living room, a person holds a smartphone to use an app titled "Smart Home."
You can take simple steps to make your smart home safer, such as never reusing your password and setting up two-factor authentication.
Credit: Andrew Angelov/Shutterstock

3. Don’t Reuse Those Passwords

You’ve probably heard this one before, but it’s worth repeating: Do not reuse your passwords! Many attacks on smart home devices, including the incidents of hackers talking to babies through connected video monitors, have been linked back to reused passwords. If you use the same password in multiple places and one is compromised, it creates vulnerability elsewhere.

4. Disable Unused Features

If your device has a feature you prefer not to use, turn that feature off if you can. For example, in my house, we’ve disabled the ability to order things directly from our voice assistants. This is an especially useful tip if you have children.

5. Monitor Your Privacy Settings

Look at the privacy settings on your smart home devices. Ideally, the manufacturer is opting you in to strong privacy settings by default. But if you can control these settings, such as how long your video or audio will be saved or whether you can prevent your information from being sent to the manufacturer, adjust them to your comfort level.

6. Update Automatically

Tech companies update smart home devices often, sometimes to fix security holes. My lab studied people’s awareness of updates, and we found that many participants didn’t even know if their smart home devices were being updated. Ideally, you want to set these updates to happen automatically, so you don’t forget. If your device is older and can no longer receive updates, you should consider replacing or retiring that item.

7. Segment Your Network

Your home Wi-Fi router is a key part of your cybersecurity plan. It should have a strong password. Also, you should consider setting up a separate network for your smart home devices. Ideally, you don’t want the network that has your computer with your sensitive financial documents to be on the same network as your smart doorbell, which might be more easily compromised. Separating the networks can take time to set up, but it’s worth the effort.

Cyber Trust Labels

In the coming years, we’ll be able to add an additional tip to this list — look for the U.S. Cyber Trust Mark. NIST has used our cybersecurity expertise to contribute criteria for this forthcoming security label for smart devices. The Federal Communications Commission is now finalizing the actual label. Once it’s placed on products, consumers can look for the label and know that the device has met some important security standards.

Making Tech Work for People, Not the Other Way Around

Julie Haney poses smiling for a casual portrait in the NIST library.
NIST researcher Julie Haney leads our Human-Centered Cybersecurity Program, which works to encourage secure technology that protects people without burdening them.
Credit: R. Wilson/NIST

I’ve worked in cybersecurity for more than 25 years. After I earned my computer science degree, I started my career at the Department of Defense and learned cybersecurity on the job. I worked on securing networks and systems. In this role, I learned that there are many nontechnical reasons why people and organizations don’t adopt cybersecurity practices, some of those having to do with the quirks of human behavior. I wanted to learn more about what I was observing, so I went back to school to study human-centered computing.

I love this work because I think people are so interesting and complex, and I want to hear their perspectives. I find it very rewarding to try to apply science to make everyone’s lives easier in cybersecurity.

In our studies (and in my own life!), I see the struggles people have with cybersecurity. I also know how real the consequences can be. In a world where clicking on one bad link can cost someone thousands of dollars, I want people to have an empowered, positive relationship with cybersecurity.

Looking Ahead to Future Needs for Human-Centered Cybersecurity

Our research group is now working on new projects to understand people’s needs and concerns in cybersecurity. For example, we are doing some studies to help cybersecurity experts communicate better with people who may not have expertise in the field.

We’ve also kicked off some work around digital identity tools, such as mobile driver’s licenses. States are increasingly adopting mobile driver’s licenses to verify that people are who they say they are. We want to know how people feel about these tools as they become commonplace.

Technology is always changing, so our work will continue to adapt. However, our commitment to centering cybersecurity on human experiences and needs will remain — no matter what technological advances are to come.

About the author

Julie Haney

Julie Haney is a computer scientist and cybersecurity researcher in NIST’s Information Technology Lab. Her research interests include human and organizational factors in cybersecurity, including the usability and adoption of cybersecurity solutions. Previously, she spent over 20 years working in the Department of Defense as a cybersecurity professional and technical leader. Julie has an M.S. in computer science and a Ph.D. in human-centered computing.

Related posts

Comments

Interesting post! My takeaway is that it is entirely unrealistic to expect regular people to develop the cybersecurity expertise needed to protect a household full of connected devices and appliances. Fortunately, there is no need to do this as long as we have options in the marketplace. I don’t own a single “smart” device or appliance other than my phone, and I don’t feel that I’m missing out at all or that smart devices would improve my life in any way. I do worry about a time when we will have no choice but to buy internet-enabled (and therefore inherently vulnerable) household appliances.

good article i I will send it to my brother / sister. Keep up the good work .

Rightly said. My takeaway is to focus on home network safety which can also protects official transactions when we do our job at home.

Such an enlightening article! So many wonderful tips, and I look forward to being able to choose devices with the U.S. Cyber Trust Mark in the future. Thank you for all the important work you do!

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.