Just a Standard Blog
NIST researcher Julie Haney studied people who have smart home devices and learned that participants had concerns about these devices but continued to use them out of convenience.
From thermostats to baby monitors, “smart” or “connected” devices have become very common in many homes. In fact, it’s hard to find household items without connected features, as I learned when I recently shopped for a new washer and dryer.
With the convenience and fun of these tools comes potential security and privacy risks.
As the lead for NIST’s Human-Centered Cybersecurity Program, my goal is to encourage secure technology that protects people without burdening them.
As part of that effort, our team recently has worked to better understand how people think and feel about the security and privacy of smart home devices. This research is especially crucial since these devices are often placed in intimate areas of our homes, like a newborn’s nursery.
In a series of studies involving people with smart homes, we learned that our participants had several concerns about their devices but often still used them out of convenience. We also found that some people thought certain types of devices (such as smart thermostats) weren’t as important to protect — even though they really are! Finally, even participants who believed that security and privacy should be a priority were often confused about what to do to protect themselves and their devices.
The good news is you don’t have to swear off smart accessories to limit your risk. While nothing connected to the internet is completely secure, there are steps you can take to help protect yourself while still enjoying these products.
I use the practices below in my own home, and you can, too.
You should make an informed decision before you buy a smart home product. First, check with members of your household to see if they’re comfortable with the device. If it’s in your home, everyone should agree to its use.
Once you have buy-in from the people you live with, I suggest doing some market research. If you’re looking to buy a device, consider a few questions. Has that manufacturer or product had any privacy or security breaches or complaints recently? What security or privacy features does the device offer, and how can you configure those settings? These are questions you should consider before buying.
So, you’ve done your research and found a smart home device that fits your needs. Now, you’ll want to make sure you set up a secure way to access it. This is usually done through an app on your cellphone, tablet or computer. Some devices let you set up a password or PIN. A much better option is to use multi-factor authentication, which will help protect you if your password or PIN is exposed. For example, you might be able to verify your identity by using biometric methods, such as facial recognition or a fingerprint, that are already set up on your phone or tablet.
You’ve probably heard this one before, but it’s worth repeating: Do not reuse your passwords! Many attacks on smart home devices, including the incidents of hackers talking to babies through connected video monitors, have been linked back to reused passwords. If you use the same password in multiple places and one is compromised, it creates vulnerability elsewhere.
If your device has a feature you prefer not to use, turn that feature off if you can. For example, in my house, we’ve disabled the ability to order things directly from our voice assistants. This is an especially useful tip if you have children.
Look at the privacy settings on your smart home devices. Ideally, the manufacturer is opting you in to strong privacy settings by default. But if you can control these settings, such as how long your video or audio will be saved or whether you can prevent your information from being sent to the manufacturer, adjust them to your comfort level.
Tech companies update smart home devices often, sometimes to fix security holes. My lab studied people’s awareness of updates, and we found that many participants didn’t even know if their smart home devices were being updated. Ideally, you want to set these updates to happen automatically, so you don’t forget. If your device is older and can no longer receive updates, you should consider replacing or retiring that item.
Your home Wi-Fi router is a key part of your cybersecurity plan. It should have a strong password. Also, you should consider setting up a separate network for your smart home devices. Ideally, you don’t want the network that has your computer with your sensitive financial documents to be on the same network as your smart doorbell, which might be more easily compromised. Separating the networks can take time to set up, but it’s worth the effort.
In the coming years, we’ll be able to add an additional tip to this list — look for the U.S. Cyber Trust Mark. NIST has used our cybersecurity expertise to contribute criteria for this forthcoming security label for smart devices. The Federal Communications Commission is now finalizing the actual label. Once it’s placed on products, consumers can look for the label and know that the device has met some important security standards.
I’ve worked in cybersecurity for more than 25 years. After I earned my computer science degree, I started my career at the Department of Defense and learned cybersecurity on the job. I worked on securing networks and systems. In this role, I learned that there are many nontechnical reasons why people and organizations don’t adopt cybersecurity practices, some of those having to do with the quirks of human behavior. I wanted to learn more about what I was observing, so I went back to school to study human-centered computing.
I love this work because I think people are so interesting and complex, and I want to hear their perspectives. I find it very rewarding to try to apply science to make everyone’s lives easier in cybersecurity.
In our studies (and in my own life!), I see the struggles people have with cybersecurity. I also know how real the consequences can be. In a world where clicking on one bad link can cost someone thousands of dollars, I want people to have an empowered, positive relationship with cybersecurity.
Our research group is now working on new projects to understand people’s needs and concerns in cybersecurity. For example, we are doing some studies to help cybersecurity experts communicate better with people who may not have expertise in the field.
We’ve also kicked off some work around digital identity tools, such as mobile driver’s licenses. States are increasingly adopting mobile driver’s licenses to verify that people are who they say they are. We want to know how people feel about these tools as they become commonplace.
Technology is always changing, so our work will continue to adapt. However, our commitment to centering cybersecurity on human experiences and needs will remain — no matter what technological advances are to come.
Thank you!
good article i I will send it to my brother / sister. Keep up the good work .
Rightly said. My takeaway is to focus on home network safety which can also protects official transactions when we do our job at home.
Such an enlightening article! So many wonderful tips, and I look forward to being able to choose devices with the U.S. Cyber Trust Mark in the future. Thank you for all the important work you do!
Interesting post! My takeaway is that it is entirely unrealistic to expect regular people to develop the cybersecurity expertise needed to protect a household full of connected devices and appliances. Fortunately, there is no need to do this as long as we have options in the marketplace. I don’t own a single “smart” device or appliance other than my phone, and I don’t feel that I’m missing out at all or that smart devices would improve my life in any way. I do worry about a time when we will have no choice but to buy internet-enabled (and therefore inherently vulnerable) household appliances.