From smart fridges to connected teddy bears, TVs, thermostats and many more, internet-enabled consumer devices continue to grow in popularity. By 2020, the world will have more than 200 billion connected devices, most of them in our homes, according to Intel.

The idea of criminals spying on us through our devices gives us the chills, but it can happen. One example is the Cayla doll, which went to market with such serious security flaws that German authorities banned it.

Another problem is if security on these Internet of Things (IoT) devices is poor to begin with or neglected, the devices can be hacked to conduct denial of service and other attacks.

But there are things consumers can do.

1. Secure your modem and router. The U.S. Federal Trade Commission advises:

  • Change the name of your router from the default.
  • Change your router's pre-set password(s).
  • Turn off any “Remote Management” features.
  • Log out as administrator once you’ve set up your router.
  • Keep your router up-to-date with new firmware, as it’s released. Check the manufacturer’s website periodically for new releases.
  • Use encryption like WPA2 or the new WPA3 and require users to enter a password to connect to your network.

2. Avoid buying something with connectivity if you don’t need the connectivity.

“But sometimes that is not possible, because today’s products may have a feature set that includes connectivity that comes automatically,” explains Andrew Jamieson, technology and security director at UL.

3. Therefore, understand the connectivity of the product when making the purchase decision, Jamieson says, and what implications that has for your privacy. This includes knowing that if you don’t want that connectivity, can you turn it off? What does it mean if you turn the connectivity off? Can you still use it? Can you change the password? How secure is it?

This also means considering whether certain products, especially connected dolls and other children’s toys, are worth the risks. According to the FBI, “Companies collect large amounts of additional data, such as voice messages, conversation recordings, past and real-time physical locations, internet use history, and internet addresses/IPs. The exposure of such information could create opportunities for child identity fraud.” Here are some additional considerations and security precautions for connected toys.

4. Put IoT devices on their own special guest network. That way, if an IoT device gets hacked, the entire network isn’t compromised. Check your router’s manual, or the manufacturer’s web site, for details on setting up a guest network.

5. When you buy a connected device, update the device with a good password. Then, continue to maintain the security by patching them with new security patches that the manufacturers roll out, Jamieson says.

Also, when it comes to passwords, never use a password in more than one place. This can be difficult because we have so many passwords, so consider using password keeper app. Or, write down the password and store it in your house.

“I know everyone has told you not to, but you are more secure writing down a strong, unique password and keeping it somewhere in your house, than you are using a standard password across the web,” says Jamieson. “If you’re storing the password in your house, the threat model is that someone has to break into your house, find the book it’s stored in, understand it’s valuable and understand the service it’s tied to.”

Jamieson adds: “Also, try putting your email into the services at Have I been Pwnd, which will let you know if your details have been involved in one of the data breaches that have occurred recently.”

6. If your service/product offers multi-factor authentication (MFA), consider enabling the MFA.

“There’s a new authentication process called fast ID online (FIDO) that’s strong and robust. That’s something you can look to. You can use physical security keys to log into devices,” Jamieson points out.

Other MFA can include short message services, which sends you a text or email with a code that you must enter along with your password.

7. Turn off any cameras and microphones in devices when not in use. This is so that the devices don’t accidently record because of misheard commands.

8. Protect your data, as companies are capturing your data and, often, selling it.

“There’s a common saying that if the product or service is free, then you are the product/service. If you’re not paying for it, you’re paying for it through your data and time,” Jamieson says. “Photos; documents; information on bike-sharing or scooter-sharing services of when you’re going, how you’re going, and where you’re going – it’s all collected and shared. Think about the information you’re giving out. It might not be personal to you, which is fine, but the data may be quite sensitive. It may be where you live, where and what type of doctor you’re visiting, or when your home is empty. Also, it can be used outside of the context in which you shared it by aggregating multiple sets of data, which is something to take into consideration before you put your information out there.”

Bottom line: Understand what it’s being used for, and if it’s being shared and how it’s being shared. Do your due diligence to the extent you can.

9. Understand why a product is priced as it is. For instance, if a connected teddy bear is priced $10 more than a different brand, perhaps that extra money is because the higher-priced product is more secure, and since it’s going into your kids’ room, that extra money might be worth it to you, Jamieson explains.

Price doesn’t always reflect security, but in the case of connected devices, it may, which brings you to the next step.

10. Choose a manufacturer known for security. Research the manufacturer. Read Consumer Reports and other reviews of the manufacturer and product to learn about the manufacturer’s reputation for security and about the security of the product itself.

UL offers a series of Standards within UL 2900 to assess security of connected devices. These Standards apply mainly to medical and industrial devices, with the end goal to confirm that the devices adhere to applicable security Standards. Manufacturers must resubmit their product every year for new testing, since security threats evolve.

“We hope that in the future, we can create Standards meant to assess the security risk profile of consumer products too, and be part of the consumer’s purchase decision in terms of security the same way UL Standards are with safety,” Jamieson says.

To that end, UL is working on this. You can stay up to date by checking for information on consumer product safety by using the keyword search “CYBR” at this website.

With the proliferation of connected devices throughout our homes, protecting your data is more important than ever, and so is following these steps.