The introduction of home automation, smart appliances, surveillance cameras, and other connected devices has been a boon to our hectic, cosmopolitan lifestyles.  Known as the Internet of Things or IoT, these devices leverage the internet to be available wherever you are, whenever you need them.  Turn off the lights, turn down the thermostat and set the alarm as you’re Uber-ing to the airport.  Turn on the oven before leaving work.  Change your musical selections with a voice command while eating dinner.  They certainly make our otherwise complicated lives easier.  But the price for that convenience could be higher than you think.  In this post I’ll discuss some of the privacy and personal security issues with these.  I’ll save the network security issues for a later post.

How they work

Most of these devices work through a cloud-based service.  You connect to a web service through an app on your smartphone or a website from your computer, signing in with your unique username and password.  The web service then connects to the device through the internet to monitor its status and send it commands.  But what if a stranger knows your username and password?  I know, that sounds like a stretch.  But go along with me for a moment.  Assuming a bad actor did get or guess your credentials, that person could do everything that you do.  Watch your cameras, turn off your alarm, unlock your doors, open your garage…  Whatever automation you have can be controlled by a bad actor.

They’ll never guess my password

Of all the methods hackers use, password stuffing is the most efficient and effective.  Occasionally, through no fault of your own, a cloud service provider gets breached and your credentials for that site are stolen and sold on the Dark Web to other hackers.  Hackers will try to use those stolen credentials on other sites, hoping you used the same password.  If you’re in the habit of reusing the same password on multiple sites, you run a high risk of being a victim of credential stuffing.

If a hacker is specifically going after you personally, they may use another technique. Hackers have been known to guess passwords based on your social media posts.  Names of spouses, children, pets, sports teams, birthdays, and anniversaries are among the most popular.  Those are just two of the many methods they use.

What you can do

To address this privacy issue, the best place to start is making sure you use very strong and different passwords for every online account you have.  There are different opinions on what makes a strong password.  Some believe a long phrase (four or more words) that is memorable to you is best.  Others believe a string of 12 or more random letters, characters and numbers is best.  Whatever method you use, the important part is that each password or phrase should be unique to each account you have.  Also avoid using patterns on the keyboard such as “qwerty” or “qazwsx” as these are common and easily guessed.

Keeping track of all your passwords can be difficult.  Password Managers like LastPass are helpful, as they can generate and remember very complex passwords for you.  They’re much more secure than that text file you keep on your computer.

Multi-factor authentication (MFA or 2FA), painful as it may be to some, is a good partner to strong passwords and an effective way of blocking credential impersonation.  Whenever a site provides an MFA option, use it.

Above all else, think.  Do some research and check reviews on the service you’re signing up for.  Weigh the benefits versus the risks.  Decide whether you really need the ability to unlock your doors from your phone, or whatever service you’re about to sign up with.