Internet-connected appliances can be pretty cool… If you have an Alexa-integrated coffee machine or WiFi-connected vacuum cleaner that is internet capable, you surely know what kind of convenience it brings. On the other hand, convenience always brings added security problems, because accessibility for you also means greater attack surface for bad actors. If you use internet connected security devices, like cameras, you need to be certain that they are only being accessed by you. Here are a few steps that can help you keep your home network safe while enjoying the modern conveniences of the Internet of Things (IoT).

Segment your IoT devices from your main network

One of the most important steps you can take to keep your home network safe is to wall part of it off for use by appliances. The biggest part of this step is planning ahead, because it may change the topography (shape) of your network and it can quickly get very technical. If you use a switch as part of your network, for instance, then you can create a VLAN to put your connected devices on. Beware that this option requires both the hardware and a somewhat sophisticated understanding of networks.

A more beginner-friendly approach is to set up your WiFi guest network and use it for your IoT devices. This means that your IoT devices can’t do things like access files on your laptop or phone, or make connections to network attached security cameras. This way, if they are compromised they won’t hunt for your personal data, but they still may participate in denial of service attacks, waste your bandwidth or electricity, or be shut down remotely for no good reason.

Change default passwords on IoT devices

The types of attacks that most often happen to IoT devices are ones where a malicious actor connects to your device from the internet and gains control of it as a device on your network. Once this happens, the attacker can often use the device as if it is any other computer: they can execute code on the device, look for ways into your other devices, or control other devices on your network.

These attacks are usually made possible because the manufacturer of the device didn’t bother to change default passwords in the operating system on the device. Devices that use Linux as their operating system, for instance, may all share the same administrator login and password, making them all much more likely to be broken into. If your device allows, during setup, for you to change the administrator’s name or password, you should definitely change it to something unique. This doesn’t totally stop brute force attacks, but it makes it more than low-hanging fruit.

Use strong authentication for remote access

Hopefully your devices come with strong authentication schemes available, like two-factor authentication, or a secure web portal through the manufacturer’s cloud. If you can set up devices to send you a push notification when being used, for example, then you should take that opportunity. A well-established company can probably offer a pretty secure setup for you to control the device via an app or web interface, but you likely only want to trust well-known manufacturers for that type of service. Remember, though, that remote access may provide convenience, but it also makes it possible for your device to be remotely accessed by others. Even reputable companies have data breaches that could leak your login credentials for a security camera or other appliance.

Choose devices with alerts and notifications

Introducing remotely-controllable devices into your home (much like devices that can listen to you) means introducing a certain amount of risk that the devices may give access to the wrong person. Your devices should be able to let you know, with a notification or LED indicator, that they’re being accessed, and if they can’t, then you should be wary of using it at all. If you can set up alerts for when settings are being changed, or when the administrator logs into the device, you should do so and take the notifications seriously. If a device can’t meet these standards, you should probably not use it; I’ve personally reboxed devices that didn’t demonstrate to me the level of security and privacy that I expected. It’s not a good feeling, but it’s still a better one than learning that your privacy has been compromised.

ProTip: Use Fing or Advanced IP Scanner to make a network map

Protecting your network starts with knowing what devices are on your network, what IP address they are assigned (so that you can identify them), and what services are exposed on those devices. Using Fing (on either the desktop or mobile) or Advanced IP Scanner (on Windows), you can see a list of all of the devices on your network and make sure that you can identify each. Both apps have features to save the information it gathers on your network, and both make it possible to initiate certain kinds of connections with devices. If you scan your network and a device has port 80 open, for instance, that means that it will accept an http connection; if you visit the IP address (i.e. you can expect a webpage of some kind on that device.

Knowing a bit about what services and ports are available on your devices can help you understand what is exposed to the rest of your network. This scan can also help you understand your new IoT devices: for instance, if your new device has port 22 open, then it can accept SSH connections, which indicates that it can be administered remotely. These kinds of services being available reasserts the need for a strong, unique password at the very least.

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team