Here Is How to Fend Off a Hijacking of Home Devices

http://www.nytimes.com/2017/02/01/technology/personaltech/stop-hijacking-home-devices.html

Version 0 of 1.

MODERN homes today are getting internet-connected light bulbs, thermostats, TVs and speakers. So with a simple voice command or the touch of a button on our smartphones, we can set the temperature, turn on a light or prepare the TV to record a program.

What could go wrong?

A lot more than most people are prepared for, it turns out. If one of these devices gets hijacked, hackers could potentially snoop around for sensitive data like financial or health information. Or they could use a network of compromised devices to perform a widespread attack that takes down major websites, which is what happened last October.

The good news is that so far, online attacks on home devices are relatively uncommon. Only 10 percent of American consumers said they were victims of the crime in a recent study done for the Hartford Steam Boiler Inspection and Insurance Company. However, those who experienced such an attack through their home gadgets reported losses of $1,000 to $5,000 from the incidents.

“There’s still this whole sort of, ‘Gee whiz, it’s so cool’ thing that’s going on” with internet-connected home appliances, said Lee Tien, a lawyer for the Electronic Frontier Foundation, a nonprofit that focuses on digital rights. “That’s also what often gets us into trouble.”

As smart home devices become more popular, they will become bigger targets for hackers. So it behooves us to get ahead of the curve by securing our home appliances, using these tips from security experts who have closely studied smart home accessories.

When shopping for an internet-connected home device like a smart speaker, lighting system or television set, a good rule of thumb is to go with a trusted brand.

Larger, well-regarded companies like Amazon or Google have a background in developing products with security in mind, said Liviu Arsene, an analyst for Bitdefender, which sells security hardware for protecting smart home accessories. Before buying a product, consumers should do a web search on it to see if the company regularly issues software updates that fix security vulnerabilities, he said.

People should also carefully read company privacy policies. David Britton, a vice president in the fraud and identity department of Experian, the credit reporting agency, said people should be curious about whether companies themselves were a threat to user privacy.

“What are they capturing about you?” he said. “Is the data leaving the device? Is it being sent back to the mother ship?”

Consider the smart speakers from Amazon and Google. Amazon said its Alexa smart assistant, which is used in its Echo speakers, automatically downloads software updates to defend against new security threats. Data from the Echo is also uploaded to Amazon’s servers only after people utter the wake word “Alexa,” the company said. That minimizes the likelihood that the device will record conversations unrelated to requests intended for Alexa.

Google said its Home speaker similarly issued regular software updates and employed advanced security features, like a technique that disables the device if its software is tampered with. The company added that the speaker processed speech only after the words “O.K. Google” or “Hey Google” were detected.

But other large brands occasionally engage in behavior that customers may find objectionable. The smart TV maker Vizio, for example, made headlines with revelations from the investigative news site ProPublica that it kept a detailed record of customer viewing habits and shared it with advertisers, who could then use the information to identify other devices you owned.

Your Wi-Fi network is the pulse of your smart home, thus it is a vulnerable attack point. Mr. Britton and Mr. Arsene suggest connecting all your smart home accessories — for example, your Amazon Echo, Nest thermostat, Samsung smart refrigerator and Philips Hue smart lights — onto a Wi-Fi network that is separate from the one connected to your computing devices, like your smartphone, tablet and computer.

With two distinct Wi-Fi networks, it will be harder for a hacker to jump from infiltrating your smart accessory on one network to a personal computer on the other network, Mr. Arsene said.

The easiest way to create a second Wi-Fi network is to make a guest network. Many modern Wi-Fi routers, like TP-Link’s Archer C7 (the top router recommended by The Wirecutter, a product recommendations site owned by The New York Times), include the ability to host a network for guests that uses a name and password different from that of your primary network. Quarantining your smart speakers, lights and TV onto a guest network will allow them all to interact with one another, while keeping your computing devices safer in the event that any of the smart accessories are hacked.

If you are paranoid about your Wi-Fi network being hacked, you can also change the Wi-Fi router’s network settings to disable broadcasting the network name entirely, Mr. Britton said. That would make it difficult for a hacker driving by to detect and compromise your network, though it would also require house guests to manually type in your network name and password when they log on to your Wi-Fi.

The same security principles for websites apply to the so-called internet of things. You should set strong, unique passwords for logging into each device you own. If you recycle your passwords and one device is compromised, the others can be, too.

A strong password can be a random string of characters or a nonsensical phrase with numbers and special characters. (Examples: My favorite number is Green4782# or The cat ate the CoTTon candy 224%.)

If you cannot memorize your passwords, that is a good thing: That means they are hard for hackers to crack. Keep them written down on a piece of paper and stored in a safe place, or store your passwords in a password-managing app like 1Password or LastPass.

While reputable manufacturers of smart home accessories offer software updates to patch security vulnerabilities, it is often up to the consumer to stay on top of updates. Because it lacks a screen, a smart light bulb or an internet-connected power socket is going to have a tough time informing you that it needs a software update.

Mr. Britton and Mr. Arsene recommend that consumers regularly log into the mobile apps or websites for their smart home accessories to check if they need software updates. If updates are available, install them immediately.

Among security researchers, putting a piece of tape over a computer webcam has become a tongue-in-cheek recommendation for those who are extra paranoid about their privacy. (Even Mark Zuckerberg, Facebook’s chief executive, does it.)

With smart speakers like the Amazon Echo and Google Home, there is an equivalent: a mute button to disable the device microphone so it can no longer listen. In the unlikely event that a device is hijacked, muting the microphone could help prevent hackers from listening to your conversations, Mr. Britton said.

Or you could go the safest route and opt out of having these devices at all. That was the method chosen by Mr. Tien, the lawyer for the Electronic Frontier Foundation, who previously studied the privacy risks of smart meters, the devices that utility companies use to monitor energy consumption.

He said he accepted the privacy implications of owning a smartphone, but a smart home accessory?

“I think it’s sort of asking to have your privacy invaded to have something like that,” he said. “I’m not sure that the value of it is really all that great.”