How-to: Put Security First in Smart Home

by - February 23, 2017

As you begin to explore Smart Home products and the Internet of Things industry, one common theme you will encounter is the emphasis on digital security. We’re big proponents of this careful approach and we commend those that are vigil and further the effort to protect the public from becoming victims or unwitting participants in wide scale attacks like the Mirai Botnet, a malware that was discovered running on thousands of video cameras and routers that had not been secured with a strong password. The malware allowed devices to combine computing power to deliver a Distributed Denial of Service attack on Dyn, a popular Domain Name Service provider for many large companies on October 21, 2016. While damage was temporary, 73 big names brands like Amazon, Netflix, PayPal and Visa were forced offline for several hours by the attack. Not at all insignificant in scale.

Tell us something new

If at this point in our article, you’re already wondering how this affects your smart home or you’ve convinced yourself that is doesn’t because you only buy from reputable companies or you’ve invested in all Apple HomeKit products, you may be mistaken. If you are not using highly randomized passwords for your devices and smart home apps or if you have duplicated any passwords on any of the devices or services you use, you are at risk.

Rules are rules
The same password rules that apply to typical online behavior, also apply where the smart home is concerned.

  1. Always use highly randomized passwords 
  2. Never duplicate passwords on any service or device 
  3. Never store your passwords in an insecure manor such as an unencrypted plain text file on your computer, phone or tablet
Begin as you mean to go on...

A simple fact is, if you’re going to add IoT devices to your home and use apps on your smart devices, you’re going to need to provide an email address and password for every single one one of them, so begin as you mean to go on. Use a secure means of automatically generating and storing passwords. Do it from here forward.

Our favorite is the very popular LastPass, where you only need to remember a single complex password, and it takes care of the rest. Automatically generating highly randomized and unique passwords, LastPass then securely stores them in the cloud where they cannot be lost, and will never be of value for theft, because they are encrypted until the moment you view or copy them on your own device.

Be a part of the solution

Using secure password generation is a major step in securing the Internet of Things; One that is unfortunately left entirely up to the end consumer at this point, rather than in partnership with experts like LastPass or 1Password. For example, where in-app automatic generation, storage and autofill password are all possible from within iOS, we're not aware of any consumer Smart Home apps that currently support the feature aside from IFTTT. Look for the keyhole icon as shown in the password field of the IFTTT login screen for iOS below. This indicates that the app supports autofill from LastPass, so tapping the icon will automatically launch your LastPass app, allow you to login, and it will then fill-in the username and password fields for you and sign you into the app. If the app does not have this icon, you must manually enter the email address in the app, switch to LastPass, search for the account, copy the password, return to the app, paste it into the password field and sign in.

So the next time you buy a new smart home device, follow one of our How-to: articles, or use a new app that needs a user login, instead of allowing your activity to be tracked by Facebook, Twitter or Google with an OAuth login which may not be as secure as you are lead to believe, we recommend you use a free email account created just for smart home services, and then generate a random password with your password manager app. Do it for that extra email account and do it for every app that needs a unique password, which is all of them.

Important to note

LastPass has been evaluated and is trusted by security experts, plus it’s now free on all devices, so there’s no excuse not to use it.

To maintain privacy, prevent unwanted advertising and for possible home resale, we recommend you register your smart home devices and apps with a free email account from companies like Google that place strong emphasis on security of their user account and personal information.

Keep passwords long and random with special characters whenever allowed. The more complex the password, the more difficult it will be for software to reverse the protection put in place against such efforts. Since apps like LastPass store your passwords securely, you only need to copy and paste the password into the app when logging in.

Some devices and apps do not allow passwords to contain certain characters or exceed a certain length, but unfortunately the manufacturer will not always specify this and while the password may be accepted, you sometimes won’t be able log back in. We’ve also encounter situations where copy and paste of the password caused the account log-in to fail. Some of these situations are rare, and if you discover a limitation, we encourage you to reach out to the product or service support team to help them update their software to improve security and ease of use.

Have a comment or question? Please gives us your feedback in the comments sections and do join us in the discussion on Twitter @smarthomeprimer where you'll find us posting about the latest news in IoT and smart home innovations.

You May Also Like