Internet of Things 12-16-2021

Cyber Guide to Holiday Shopping for Smart Home Devices

Mike Nelson

Finding the perfect gift is always a process, but when purchasing IoT (Internet of Things) devices, consumers should be extra careful to not accidently purchase a “smart” product that can become an invasion of privacy. In fact, one company set up a fake cyber home with a variety of smart home devices and tracked over 12,000 attacks in just one week. These attacks have increased since the pandemic has driven demand for smart home devices (in 2020, over 50% of U.S. adult consumers purchased a smart home device to adapt to pandemic living).

That doesn’t mean you should shy away from smart devices, but it does mean that as consumers, we need to shop smart for smart devices. If home IoT devices are on your gift list for this holiday season, you’ll want to read this security checklist before you make any purchases.

Security is a shared responsibility

Consumers have the right to assume the security and safety of devices, but that doesn’t negate a consumer’s shared responsibility for security. Cybersecurity must be a collaborative approach, as neither manufacturers nor consumers can do all of it.

Over the last few years, smart home devices have multiplied to include everything from smart TVs to thermostats, security cameras and even smart appliances. Any of these devices can be safe if the right best practices are followed, by both the consumer and manufacturer.

This guide will help you know what to look for before buying a product, and what to do after a purchase: what part of security is your responsibility.

Before buying

First of all, IoT purchases should not just be based on the price tag. Unfortunately, many consumers prioritize price over privacy. But in the long run, devices with privacy issues can be much more costly.

Before you buy your smart home devices, do some research to understand what things to ask when purchasing. A quick Google search will typically reveal any vulnerabilities that have been discovered with a device. Simply search “[manufacturer, device, model] known vulnerabilities.” For instance, if you search “Google Nest Mini known vulnerabilities” you can find a list of security updates that Google has issued, news articles about current threats and even a Reddit thread on how to fix some vulnerabilities. Similarly, searching “Alexa: Amazon Echo Show 8 known vulnerabilities” will return some of the most common vulnerabilities and solutions for that device.

If you are considering purchasing devices with discovered vulnerabilities, then you’ll want to know what the manufacturer has already done to ensure the security of the device and on what level. From there, it’s just a judgment call on what you’re willing to tolerate based on your risk tolerance level, but at least you’ll know about potential problems.

Additionally, if any products have a history of security issues, make sure the manufacturer has patched the issues. Some devices that have had security concerns include baby monitors, printers, security cameras and smart TVs. But even Wi-Fi-enabled dolls and fish tanks are not immune. Anything that connects to the internet could be vulnerable.

Here are a few questions to think about before purchasing a device:

  • What kind of data is collected?
  • Where is it stored?
  • How long do they keep your data?
  • Is your data encrypted?
  • Is that data shared? If so, how? Is the data resold?
  • Does it connect to other devices? If so, how frequently, and what data is shared?
  • What are the common vulnerabilities with this type of device?
  • How will the device receive product or software updates?

If you answer these questions with dissatisfying answers, or if you can’t answer these questions at all, you may want to think twice about purchasing that product.

In the future, we may even see security labels on devices which, similar to nutrition labels, show how secure a device is. But, for now the consumer is responsible for finding out this information before purchasing a device.

After buying

After purchasing a device, it’s your responsibility to set it up and maintain it to ensure it stays secure. For instance, even if a device passed the pre-buy checklist, if you set it up with a weak password like 1234, all their efforts go out the window.

Here’s your post-purchase checklist for device security:

  • Set up a strong password (don’t use the default)

Default passwords, the ones that come preset to a device, can put you at risk because they make you an easy target. In fact, the U.K. government just proposed legislation to completely ban default passwords from smart devices. If a device you purchase has a default password, change it and utilize password best practices.

Mutli-factor authentication is the practice of using multiple credentials to log in. This ensures that even if one method of authentication is vulnerable, your account is still secure.

Don’t automatically connect your device to Wi-Fi unless you need to. Connecting to the internet increases your chance of threats, and the FBI explains that connecting unsecured devices to your Wi-Fi router can give “the bad guy access to everything else on your home network that you thought was secure.” If you want to be extra secure, and have the expertise to set it up, I recommend setting up a separate network just for your smart devices and make that network private so it’s not discoverable.

  • Install software updates as soon as possible

Software updates often include security patches with the latest protection, so you’ll want to install them right away. If you can, set software updates to install automatically.

  • Understand what the device connects to (Wi-Fi, Bluetooth, mobile app, etc.)

Note what other devices it connects to and limit it to only what you need. If your device connects to an app, don’t forget about protecting your phone with a strong password. If it connects to another smart device, make sure that device has a strong password and updated software as well.

What about gifting?

Finally, if you’re gifting smart home devices you may have less control over how people set it up. But the same principles apply. Encourage your giftee to use strong passwords, enable MFA and update the device regularly.

Stay smarter than your smart home

Consumers have a shared responsibility with device manufacturers to ensure that the devices they bring into their home are secure. Both sides are accountable, and that extends far beyond just our holiday shopping. There is more education needed for consumers, and there is more that manufacturers can do, like adding security labels. But for now, these steps can help consumers ensure that the devices they bring home for the holidays won’t leave their home vulnerable.

For more recommendations on securing devices, check out my other post on how to stay smarter than your smart home.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS