Be aware of the security and privacy risks posed by Internet of Things (IoT) devices so you can choose the right balance for you between convenience—which can be significant with some IoT devices—and risks to your data security and privacy—which can also be significant.
IoT devices include gaming systems, smart speakers, smart TVs, watches and wearables, streaming devices, smart thermostats and appliances, home security systems, and more.
IoT devices can collect a lot of personal data about you and your habits, sometimes without the device manufacturers informing you what is being collected or retained. This can leave your data vulnerable to exposure in the event of data breaches affecting the manufacturers and others they may share your data with. It can give attackers access to your personal information and the potential to compromise other devices on your networks.
Best Practices for IoT Devices
Many of the best practices for securing IoT devices are the same as those for your other Internet-connected devices. Features vary from device to device, so every best practice may not apply to all devices. This is not an exhaustive list of best practices for configuring your IoT device. Check the device documentation for details about your options.
- Review the privacy policy. Check with your device manufacturer for this and become familiar with it.
- Review the privacy and security settings. Choose security and privacy settings you are comfortable with. Don't just accept the out-of-the-box settings, which tend to err on the side of sharing more information with the manufacturer rather than emphasizing your privacy.
- Change the "wake" word that activates your device. Change the wake word to something unlikely to occur in everyday conversation and that visitors will not know. Be aware that devices can hear sounds through residence hall or apartment walls and through windows.
- Use two-factor authentication. Protect the service account (for example, the Google or Amazon account) linked to the device by enabling two-factor authentication if it is offered.
- Keep software and devices up-to-date. Regularly check for and install software and firmware updates. Enable auto updates where available.
- Connect the device to a trusted network.
- Secure your home network and all other devices connected to it.
- Members of the U-M community can register and connect IoT devices on the UM-Ann Arbor campus using MSetup Device Registration.
- Set a strong, unique password for each device and service. Immediately change default passwords that come with the device. Set a different password for each device and service.
- Delete/erase stored recordings. On a regular basis, erase or delete recordings that your device may have saved (for example, voice commands).
- Be careful about which accounts you connect to your device. Avoid connecting accounts with sensitive information. Disconnect accounts when no longer needed.
- Use caution when connecting third-party extensions. Be aware of the personal information you are sharing with them.
- Disable features you don’t use. Turn off the microphone and camera or mute the device when you aren’t using it. Turn off voice purchasing if not needed, or set a purchase password to prevent inadvertent or unauthorized purchases.
- Do not connect a debit card to a device. Only a credit card will shield you from full liability for fraudulent purchases. Debit cards do not offer the same protections; it is best not to use them for online purchases.
- Consider blocking incoming voice and video calls. This prevents others from dialing in and listening in.
Privacy Settings Help Links for Personal Assistants
The three current market leaders for smart personal assistants (also called personal digital assistants or home speakers) are the Amazon Echo, Apple HomePod, and Google Home; links to their privacy and security documentation are provided below. For other products, check the product documentation or search online. U-M makes no recommendation or endorsement of products or services not directly provided by U-M or provided via a contractual relationship with a third-party vendor.
- Amazon Echo Help
- Apple HomePod Help
- Google Home Help
Additional Resources
- Security and Privacy in the Connected Home (Center for Internet Security Newsletter, 12/18)
- How to Make Sure Alexa, Google Home Don't Hear Too Much (Tom's Guide, 4/23/18)
- They’re Listening: A Paranoid Guide to Smart-Speaker Privacy (New York Intelligencer, 4/17/18)
- 5 Ways to Secure Your Alexa Device (Tom's Guide, 3/30/18)
- Virtual Assistants—How Do They Handle Your Privacy? (Cybercity.NYC, 3/18)
- How to Protect Your Privacy on Your Smart Home Devices (LifeHacker, 2/21/18)
- A Guide to the Security of Voice-Activated Smart Speakers (Symantec, 11/17)