Why IoT Security Is Different
Smart home devices present a different security profile than computers and phones. They typically run stripped-down operating systems with no user interface for security configuration, receive infrequent firmware updates (or none at all after the manufacturer stops supporting them), and often have default credentials that owners never change. A compromised smart home device can be used as a foothold to scan and attack other devices on your network, participate in botnets, exfiltrate data from your network, or serve as a persistent access point for an attacker even after you think the problem is resolved.
The good news is that most IoT security risks are substantially mitigated by a small number of network-level controls that do not require device-by-device management.
Network Isolation: The Highest-Impact Control
Putting IoT devices on a separate network segment — either a guest network or a dedicated VLAN — limits what a compromised device can reach. A smart bulb that is breached cannot scan your NAS, access your computer's file shares, or intercept traffic from your phone if it is on a separate network with client isolation enabled. This single control addresses the most significant IoT security risk: lateral movement from a compromised device to the rest of the home network.
Most modern routers support a guest network that provides internet access while blocking access to the main LAN. More advanced routers and mesh systems support VLANs that can be mapped to separate SSIDs with firewall rules between segments. The guest network approach is sufficient for most homes; a VLAN-based IoT network provides more granular control for users who want to allow specific IoT-to-LAN communications (e.g., a local Home Assistant server that needs to reach IoT devices).
Device-Level Security Checklist
| Action | Priority | Notes |
|---|---|---|
| Change default passwords on all devices | Critical | Many IoT devices ship with shared default credentials that are publicly known |
| Enable automatic firmware updates | High | Patches known vulnerabilities; most devices have this option in settings |
| Enable two-factor authentication on platform accounts | High | Protects Alexa, Google Home, HomeKit, and device app accounts from credential stuffing |
| Remove unused devices from the app and network | Medium | Devices that are no longer in use but still connected are an unnecessary attack surface |
| Use a unique strong password for the IoT Wi-Fi network | Medium | Separate from your main network password so IoT credentials are compartmentalized |
| Disable UPnP on the router if not needed | Medium | UPnP allows devices to open router ports automatically — a risk if a device is compromised |
| Review app permissions granted to each device's cloud account | Low | Revoke permissions for integrations and skills you no longer use |
High-Risk Device Categories
Not all IoT devices carry equal risk. Devices that see or hear inside your home (cameras, microphones, baby monitors), control physical access (smart locks, garage door openers), or connect to safety systems (smoke detectors, alarm systems) warrant extra scrutiny. For these devices, prefer brands with documented security practices and active firmware update programs, avoid extremely cheap no-name devices with unknown firmware provenance, and isolate them on a network segment with outbound internet access restricted to only the vendor's servers where possible.
Frequently Asked Questions
Is a smart lock safe to use?
Yes, when chosen carefully and configured correctly. Look for smart locks that use end-to-end encrypted communication (Z-Wave with S2 security or Zigbee with link-key encryption, or HomeKit which mandates encryption), require physical presence or a secure app for code changes, and have a strong track record from the manufacturer. Enable two-factor authentication on the lock's app account — this is the most likely attack vector. Avoid smart locks that use only Bluetooth without additional authentication, and do not use locks from manufacturers with no security disclosure history or that have not issued firmware updates in years.
Can smart home devices be used to spy on me?
Technically, devices with microphones and cameras can be used to capture audio and video if compromised or if the vendor's cloud is breached. The practical risk for well-known brand devices with active firmware updates is low, but not zero. Mitigations: use local-processing platforms (HomeKit, Home Assistant) where audio processing happens on-device rather than in the cloud, physically cover camera lenses on unused cameras, use smart speakers that have a hardware mute switch, and prefer devices with documented privacy policies from companies with reputational incentives to protect user data. The highest risk is from no-name cameras and baby monitors with unknown firmware that ship with hardcoded credentials and no update mechanism.
How do I tell if an IoT device has been compromised?
Signs include: the device stops responding normally while still online, unusual outbound traffic from the device's IP on your router's traffic monitor, connections to unfamiliar IP addresses or countries, the device's indicator lights behave unexpectedly, or your router logs show the device scanning other local IP addresses. If you suspect compromise, factory reset the device, update its firmware before reconnecting, change the Wi-Fi network password it was using, and check your router for any port forwards the device may have opened via UPnP.