Which? uses cookies to improve our sites and by continuing you agree to our cookies policy.

IoT explained

Internet of things and security

By Martin Pratt

Article 2 of 3

New IoT products are released almost daily, but is enough being done to keep them secure? We look at the risks of having a connected home. 

Put us to the test

Our Test Labs compare features and prices on a range of products. Try Which? to unlock our reviews. You'll instantly be able to compare our test scores, so you can make sure you don't get stuck with a Don't Buy.

Technology moves fast - updates are frequent and a new product is always on the horizon. The internet of things (IoT) is no exception. As more and more devices go online, concerns are being raised as to just how secure they are - and you can see in the video above what happened when we put this to the test. 

But are big-name manufacturers doing enough to make sure their smart gadgets are protecting our most private data from hackers and thieves?

You may think having an internet-connected kettle or thermostat would be low risk. What’s the worst that could happen? Surely, the prospect of impromptu, 2am water boiling would hold more appeal for a poltergeist than a hacker. But these devices are connected to your router. So if their security isn’t up to scratch, they could be used as an avenue into your home network. From there, thieves could access your laptop, phone and all the personal information inside.

Keeping your computer free from viruses is vital to protecting your personal information. Keep your data safe - see our top-rated antivirus software.

Why isn't the internet of things secure?

The IoT industry is new, it’s moving fast and security can’t keep up - or, in some cases, it’s not factored in at all. Manufacturers want to take advantage of the craze and get their ‘smart’ products on the market as quickly as possible without considering how simple they could be to hack.

No precedent has been set for IoT security and because much of the data collected by the connected devices is perceived as low risk, it isn’t always seen as a priority.

Another reason IoT isn’t secure is due to the significant growth it has enjoyed. Five years ago, there were around eight billion internet-connected devices. In 2016 that number more than doubled to 22.9 billion. Some analysts predict that the number of devices will hit 75.4 billion by 2025 - that’s 10 devices for every person on the planet.

Current security measures weren’t built to cope with this number of machines all sharing information online, which is why more IoT devices need to improve their own security rather than relying on the routers.

One potential issue is how often we upgrade. Smartphones, laptops and tablets are the main way we interact with the internet and they receive regular software updates to improve security. Regular hardware updates boost security, too. Many of us upgrade our phones every two years – the same cannot be said of a fridge or washing machine, unless you buy an unreliable brand.

Unless manufacturers can guarantee that future updates to security will be frequent, robust and compatible with older models, that state-of-the-art appliance could become a large hole in your online safety net.

US retailer Target had its network hacked in 2013 and the details of 40 million credit cards were stolen. The thieves gained access through the company’s internet-connected heating system.

IoT hacks don’t just affect big business, either. Hackers were able to gain access to home networks through baby monitors. They streamed the videos of sleeping infants online to raise awareness of the lackadaisical security on some monitors. There were even reports of people talking to children through the microphones attached to the monitors.

We reveal the baby monitors that don't take liberties with security - see our baby monitor reviews

The hackable home uncovered

Smart tech is a fast-moving sector, and our research has found that device security isn't keeping up. We asked researchers from SureCloud to try to hack into our smart-home devices and we were alarmed at how quickly they were able to infiltrate our home network.

They gained access to our smart hub, which gave them control over the devices connected to it. Once they'd hacked a smart plug they were able to turn off the fridge and cause havoc. This may seem more mischievous than dangerous, but they hacked a wireless security camera, too, which meant they knew when the house was empty. 

Even unassuming products can be problematic. SureCloud hacked a stuffed toy that can play messages to children from family members, but once it was compromised the researchers could play their own recorded messages, or even talk directly through it, if they were in range of the device.  

There are steps you can take to secure your smart devices - read our advice in five ways to protect your smart home from hackers - but we're also calling on manufacturers to make their smart products secure by design in the following ways:

  • Better default passwords - one of the first things you should do when you set up your new smart-home device is set your own password, but not everyone will, which is why we think that the defaults set by manufacturers should be more secure. '00000000' or 'password' just don't cut it - we would never recommend that someone chooses this kind of password, so manufacturers shouldn't either.
  • Safe set-up - setting up your new device should be simple, but we think the process should include security advice. It should explain the importance of a strong password and force you to change from the default one. It should also flag any other measures that can secure your device and network
  • Regular security updates - hackers are always coming up with new ways to weasel into networks, and it's up to manufacturers to keep their devices as secure as possible with regular updates. If these updates aren't automatic, it should be stressed how important it is that they are installed. Finally, the process shouldn't be difficult - it should tell you to update your device when you open the app, with a prompt to download it.
  • Vulnerable ports - if the virtual ports that allow devices to connect to the internet aren't secure they are easier to hack. Manufacturers should recognise and fix these vulnerabilities before a product even launches.
  • Add more security measures - a strong password isn't the be-all-and-end-all of security. Adding two-step authentication would make smart devices much less susceptible to breaches.