IoT Security Guidelines

Overview

Be aware of the security and privacy risks posed by Internet of Things (IoT) devices so you can choose the right balance for you between convenience—which can be significant with some IoT devices—and risks to your data security and privacy—which can also be significant.

IoT devices include personal assistant devices (e.g. Amazon Echo), gaming systems, smart speakers, smart TVs, watches and wearables, streaming devices, smart thermostats and appliances, home security systems, and more.

IoT devices can collect a lot of personal data about you and your habits, sometimes without the device manufacturers informing you what is being collected or retained. This can leave your data vulnerable to exposure in the event of data breaches affecting the manufacturers and others they may share your data with. It can give attackers access to your personal information and the potential to compromise other devices on your networks.

Information

Best Practices for IoT Devices

Many of the best practices for securing IoT devices are the same as those for your other Internet-connected devices. Features vary from device to device, so every best practice may not apply to all devices. This is not an exhaustive list of best practices for configuring your IoT device. Check the device documentation for details about your options.

  • Review the privacy policy. Check with your device manufacturer for this and become familiar with it. 
  • Review the privacy and security settings. Choose security and privacy settings you are comfortable with. Don't just accept the out-of-the-box settings, which tend to err on the side of sharing more information with the manufacturer rather than emphasizing your privacy.
  • Change the "wake" word that activates your device. Change the wake word to something unlikely to occur in everyday conversation and that visitors will not know. Be aware that devices can hear sounds through residence hall or apartment walls and through windows.
  • Use two-factor authentication. Protect the service account (for example, the Google or Amazon account) linked to the device by enabling two-factor authentication if it is offered.
  • Keep software and devices up-to-date. Regularly check for and install software and firmware updates. Enable auto updates where available.
  • Connect the device to a trusted network.
    • Secure your Home Network and all devices connecting to it.
    • Members of the University of Oregon can connect their IoT devices to the University’s network. To connect, follow the steps here.
  • Set a strong, unique password for each device and service. Immediately change default passwords that come with the device. Set a different password for each device and service.
  • Delete/erase stored recordings. On a regular basis, erase or delete recordings that your device may have saved (for example, voice commands).
  • Be careful about which accounts you connect to your device. Avoid connecting accounts with sensitive information. Disconnect accounts when no longer needed.
  • Use caution when connecting third-party extensions. Be aware of the personal information you are sharing with them.
  • Disable features you don’t use. Turn off the microphone and camera or mute the device when you aren’t using it. Turn off voice purchasing if not needed or set a purchase password to prevent inadvertent or unauthorized purchases.
  • Do not connect a debit card to a device. Only a credit card will shield you from full liability for fraudulent purchases. Debit cards do not offer the same protections; it is best not to use them for online purchases.
  • Consider blocking incoming voice and video calls. This prevents others from dialing in and listening in.