Smart-Home & IoT Security

TL;DR

• Every smart-home device — camera, doorbell, lock, speaker, lightbulb, vacuum, fridge — is a small computer with a microphone or a sensor that is constantly connected to the internet.
• Each one is a potential way into your home network. Your Wi-Fi is only as safe as the worst-protected device on it.
• The single most useful step is to separate IoT devices onto their own Wi-Fi network away from your phones, laptops, and home backup drives. Most modern routers can do this in a few clicks.
• The cheapest devices are sometimes the most dangerous — abandoned by their makers, full of holes, and watched by people who are not you.
• Privacy is not the same as security. A device made by a trustworthy company can still be insecure; a perfectly secured device can still send recordings to a country whose laws you've never read.

What it is

The "Internet of Things" is the umbrella name for everyday objects with internet connections. A smart bulb. A robot vacuum. A doorbell with a camera. A speaker that responds to your voice. A baby monitor on Wi-Fi. A smart fridge. A robotic lawnmower. A smart oven. A children's toy with a microphone. A pet camera. A printer.

Most of these are small Linux computers with one task and one network connection. That makes them genuinely useful. It also makes them genuinely risky in three ways:

1. They listen, watch, and report. Microphones, cameras, motion sensors, temperature sensors, presence sensors. Almost all of them send data back to the manufacturer's cloud — and from there to various advertisers, analytics partners, and sometimes other organisations.
2. They can be broken into. Many cheap devices ship with default passwords, slow security updates, and obvious vulnerabilities. Attackers scan the entire internet for these. When one of yours appears, it gets added to a botnet — a fleet of compromised devices used to attack other people, sometimes also used to watch you back.
3. They are doors into your home network. Once an attacker is on the device, they are on your Wi-Fi. From there, they can scan for the other things on your network — your laptop, your network-attached storage, your phone, your smart lock.

This is why smart-home security is half a physical topic (where you put the device, what it sees) and half a digital topic (how its software, account, and network are configured).

How to spot a problem

Some signs that an IoT device has gone wrong, or was never right:

• Hot, slow, or unusually heavy network traffic. A doorbell that pings the internet hundreds of times a minute is doing something the manual didn't promise.
• Strange voices from the speaker, sounds that aren't yours. Reported intrusions on cheap baby monitors are well documented. Treat these incidents as compromised, immediately.
• Notifications from a device you don't own, or from features you didn't enable.
• The companion app no longer receives updates and the manufacturer's website hasn't been touched in a year. The product is probably abandoned. Replace it; don't keep using it.
• The device asks for permissions wildly beyond its function. A smart bulb that wants access to your microphone, contacts, and location is not a smart bulb anymore.

How to set things up safely

If you do nothing else, do this — once, when you set up a new device. It saves long-term grief.

1. Pick the device deliberately. Independent test labs (Stiftung Warentest, Consumer Reports, Which?, Que Choisir, AV-TEST IoT testing) publish IoT-specific reviews. A device that promises 5 years of updates is worth more than a device costing half as much that promised nothing.
2. Read the data-collection policy in plain language, or ask an AI to summarise it. What does it record? What is sent off the device? Who sees it? For how long?
3. Change the default password before the device touches the internet. Some still ship with admin / admin. Many routers do.
4. Update its firmware immediately. The version it ships with is almost never the latest.
5. Create a strong unique password for the manufacturer account. Turn on two-factor authentication on that account if offered.
6. Put it on a separate Wi-Fi network for IoT devices (often called Guest network or IoT SSID on consumer routers). This keeps a compromised lightbulb away from your laptop and your backup drive.
7. Disable any features you won't use — remote access, cloud recording, voice activation, third-party integrations.
8. Check the device's location. A camera in a hallway is one thing. A camera in a child's bedroom is a different conversation.
9. Write down what you bought and where it is. Within a year, you will not remember whether the camera at the back gate is even still powered. A simple note keeps an old device from becoming a forgotten weakness.

When the device is a microphone or a camera

These deserve extra thought.

• Position matters. What is in the frame? Doorways visible from the street are different from your bathroom.
• Storage matters. Local recording (SD card or network recorder) is more private than cloud-only. Cloud-only is more convenient but trusts the manufacturer's security forever.
• Consent matters. Anyone you record — guests, contractors, children old enough to understand — should know the device is there. In some countries, hidden cameras inside the home are illegal even when filming your own family.
• Bedrooms and bathrooms are rarely a good idea. The privacy cost almost always outweighs the security benefit. Other devices (door sensors, motion sensors, smart plugs) can answer the same questions without a microphone or a lens.

Network basics

Most smart-home risk lives on your Wi-Fi. A small amount of network hygiene goes a long way.

• Change the router admin password from whatever was on the sticker.
• Update the router firmware when prompted; if your router never offers updates, it is too old for serious use.
• Use WPA3 or WPA2 encryption on every network (not WEP, not "Open").
• Create at least two networks: one for your trusted personal devices (phones, laptops), one for IoT. Many routers do this in two clicks; consult your router's manual or ask an AI to walk you through your specific brand.
• Turn off WPS, UPnP, and remote admin unless you actually need them. They are convenient and frequently exploited.
• Pick a router that is still supported by its maker. Most consumer routers receive about five years of updates after launch; old routers should be retired even if they still work.

What NOT to do

• Don't buy the cheapest no-name camera, doorbell, or lock. The price is paid in your privacy and the safety of the rest of your network. Reputable brands with public update commitments are worth the extra cost.
• Don't connect a device to your main Wi-Fi if you can put it on a separate IoT network instead.
• Don't keep using a device whose manufacturer has gone dark. No updates means no defence against newly discovered flaws.
• Don't ignore the firmware-update notification. That is your free protection from yesterday's vulnerability becoming tomorrow's compromise.
• Don't reuse passwords between manufacturer accounts. A breach at one company's cloud should not lead to your cameras at home being accessed.
• Don't trust "AI-powered" or "military-grade encryption" marketing. Look for audited, open-standard, and supported for X years. The rest is sales copy.
• Don't put a camera anywhere you would be embarrassed for the world to see, ever. Cheap indoor camera feeds end up on aggregator sites every year.

Use AI to help you

Audit your current setup:

"I have the following smart-home devices on my home network: [list each — brand, model, room, what it does]. My router is [brand, model] and it offers [list features — guest network, WPA3, separate SSIDs, etc.]. Please audit my setup and tell me (a) which devices are highest risk and why, (b) what configuration changes I should make first, in priority order, and (c) any devices I should consider replacing because the manufacturer no longer supports them."

Plan a separate IoT network:

"I want to put my smart-home devices on a separate Wi-Fi network from my computers and phones. My router is [brand, model]. Walk me through, step by step, how to set up a separate IoT network on this specific router. Note any limits or considerations for the devices to keep working as expected."

A reminder: AI doesn't know your current router firmware or the current vulnerability advisories for any specific device. Use it as a planner, then verify each step against the manufacturer's official documentation.

Who to call

Find the latest contacts for your country with AI:

"I'm in [your country] and I use the following smart-home devices: [list — brand, model, room, what it does]. List the official sources I should consult for IoT and smart-home security guidance — the national cybersecurity centre's IoT-specific page, the manufacturer's official security advisory page for each device I named, the router maker's support page for configuring a separate IoT network, the data-protection authority (for the legal rules on what these devices may record and share), and an independent IoT-testing organisation that has reviewed devices in my market. For each, give the official URL and public phone number where available. Cite each source. Flag anything that might be outdated, and note any country-specific certification (e.g. EU Cyber Resilience Act compliance) I should look for when I next replace a device."

• The device manufacturer's support for firmware updates, device-specific recovery, and breach notifications.
• Your router manufacturer for network-configuration help (often free chat or email support).
• Your country's cybersecurity centre for IoT-specific guides. Useful starting points: NCSC UK (ncsc.gov.uk), BSI für Bürger (DE), BACS / NCSC CH (ncsc.admin.ch), ENISA (EU), CISA (US), ANSSI (FR), AGID (IT), INCIBE (ES), CNCS (PT).
• Independent consumer-test organisations for current device comparisons (see the home-physical-security card for the country-specific list).

When to escalate beyond chat

• A camera or microphone shows clear signs of compromise — voices from the device that aren't yours, recordings going somewhere you don't recognise, motion alerts you didn't trigger. Disconnect the device immediately, change all linked passwords, report to local police if it involves children or if footage may have been recorded and exfiltrated. Save logs and the device for evidence if possible; don't factory-reset until you've spoken with police.
• A smart lock has been opened without your action — treat as a possible physical break-in. Change locks and lock codes; review the manufacturer's logs (most retain a few weeks of door events); file a police report.
• A manufacturer has been breached and your devices may be exposed — change the password on the manufacturer account, replace authentication tokens, enable any new 2FA being offered, and re-link the devices. Watch for elevated phishing afterwards.
• A child reports that "the speaker is talking to me at night" — take it seriously, do not dismiss as imagination, disconnect the device and treat as compromised.

Related topics

• Home Physical Security — the physical decisions these devices support.
• Public Wi-Fi & Travel Safety — your home network is the public-Wi-Fi everyone else logs in to.
• "Your Data Was Leaked" — what to do when your smart-home company is breached.
• "I've Been Hacked" — recovery when a manufacturer account is compromised.

Sources & references (internal — not rendered to the live page):

• ENISA — IoT Security guidance baseline
• Mozilla Foundation — annual "Privacy Not Included" buying guide
• AV-TEST — periodic IoT device security testing
• Krebs on Security — public reporting on consumer-IoT botnets and breaches
• EU Cyber Resilience Act — manufacturer obligations from 2027 onward