Guidance for Consumer IoT Devices

The risks of using consumer IoT devices such as Amazon Echo and Alexa, remotely controlled lighting, and a variety of others can be reduced, but not completely eliminated, by thoughtful configuration of the devices. Often the default settings provide opportunities for malicious actors. Configuring devices with a thoughtful, systematic approach can lower, but again not eliminate, your risk in owning and operating consumer-grade IoT devices.

Consider the following guidance for configuration and device preparation:

1. Change default usernames and passwords.
2. Use strong passwords and employ best practices to keep passwords secure.
3. If possible, disable unused ports and services on the device.
4. Review default settings of the device.

  • Turn off or disable features that you don’t need.
  • Determine your device’s model number.
  • If possible, determine your device’s firmware version.

5. Identify the ‘patch plan’ for the device. Determine:

  • How does the device get updates?
  • What triggers updates?
  • Are updates automatic or manual?
  • How are you alerted about updates?

6. Do not deploy the device on public IP addresses.

  • Use a service such as UW-IT’s 10net instead for private addressing.

7. Use Two-Factor Authentication (2FA) if the device supports it.
8. Use strong encryption for WiFi connections.
9. Determine how the device responds after an outage.

  • Does the device come back up in the same configuration?
  • Note that some devices reboot in the default configuration.

Additional things to consider:

Will the data the device generates be sent back to the manufacturer or other parties? If yes:

  • What type of information will they have access to?
  • How will they secure the data?
  • How will they use the data?
  • Will they share the data with others?