The ICO exists to empower you through information.

Lots of people now have ‘smart’ or internet-connected devices in their homes such as TVs, connected toys, kitchen appliances, video cameras, baby monitors, music systems and storage devices allowing photos and documents to be accessed online.

It can be very useful to have connected devices in your home, particularly where you can access them over the internet whilst you are elsewhere, but when you set up and use these devices you need to make sure that you aren’t at risk of revealing your personal details to other people.

We’ve been working with the Government, industry experts and manufacturers about these issues, and as part of this the Department for Digital, Culture, Media and Sport (DCMS) has released consumer guidance on connected devices. This is part of DCMS’s “Secure by Design” project and features some key messages and recommendations to help you secure your connected devices.

On this page, we’ve included some simple security steps you can take today to improve the security of your connected devices. These have been used in our contributions to DCMS’s consumer guidance, and also cover additional steps that may help you.

If you don’t consider these issues, you could find your personal data easily accessible by popular search engines, casual browsing or more determined attackers who could then use your equipment to mount attacks on others or even take your personal data to commit identity fraud.

What actions should I take?

If you are using these devices you should consider the following:

Research the security of a product before buying

Connected devices are no different to other products you purchase in that you should conduct some research about which one is right for your needs before buying. Look for reputable reviews, and pay particular attention to whether or not any guarantees are given by the manufacturer about product updates in the future if a security issue is identified.

Is your router secure?

If you’ve installed a device in your home and connected it to your network, the default settings of your router might be exposing it to the internet. It may therefore be visible to other online users, potentially including attackers who may use it to access your network and the information stored there.

If you want to access that device from outside your home then it needs to be accessible from the internet, but whilst some devices require some form of password protection, others either don’t or they use a default (and potentially discoverable) password. If there is no protection in place, your personal information could even become available on popular search engines.

Change passwords and usernames from default

If you only take one security step when getting any new device, make sure you set a strong password – one that should not be known by anyone else or be easy to guess. Computers can also attempt to crack many different passwords automatically so a strong password also needs to be as long as possible, and should contain upper and lowercase letters, numbers and special characters (eg $ # @ and ]).

When you begin using your device you may be given a simple default password that you’ll need to enter to get it working. This might be blank or something as simple as ‘password’ or ‘123456’. Even if it isn’t, the default passwords many manufacturers use are freely available online (one common source being operating manuals, which can be downloaded from manufacturers’ websites) so make sure you change them. If the device doesn’t have a password, then you should set one up.

Remember, if the password is easy to guess or known to attackers they will be able to gain access to the device in the same way that you do.

You can get more information about choosing better passwords at Get Safe Online and Cyber Streetwise. You should also use a different password for each account and device because if one is obtained by an attacker the others will still be safe. A password manager can help you in remembering and setting secure passwords and we would recommended using one.

Manage your online account

To setup and manage your device, you may need to create an account on an online service, such as one offered by the manufacturer or alternatively by a service provider.

This won’t always be the case – it depends on the device, and any associated online services that come with it. However, if you need to set up an online account you also need to take additional steps to manage it properly.
The main one is to make sure that you use a strong password for the account, as well as using a strong password on the device itself.

Ideally, you should not use the same passwords for both, although this may be complex for you to manage.

If there’s a two-step authentication option – use it

Two-step authentication offers you an additional layer of security when logging in to an online service.

Whilst few devices will offer this service, the website you use to view the data might. It often works by asking you to enter your username and password as well as some other method of authentication; for example, by sending a code to your mobile phone or email account that you must enter during the login process. Sometimes you can have a separate device which generates these codes.

Using two-step or two-factor authentication means that if your username and password are compromised, a criminal cannot gain access to your account data without also compromising your mobile phone or code generator. Therefore if you have this option turned on, your information has a much greater chance of remaining secure.

Keep updating your software and apps

Over time, problems can be found in the software running on these devices which can only be fixed by installing updates provided by the manufacturer. You might find it easier, where possible, to set your device to automatically update – so check to see whether you can enable these. You should be prompted when a new update is ready to install, usually via a pop-up message or from the settings menu of an app or the device itself.

Where automatic updates are not available, or where you need to install an update manually, check the manufacturers’ website to see if there have been any updates that address known security vulnerabilities and install these updates in a timely manner. This includes your router.

But be warned: updating the software of a device can overwrite the data or settings so check the manual and make sure you have a backup of your data and/or configuration settings.

Vulnerabilities can also be found in any apps that you use along with your device – this may mean that although the device is still secure, the app itself may not be. However, apps generally get updated by the app store from where you installed them, eg Google Play or Apple’s App Store. You should however be aware that this does require the app developer to make an update available first.

If you become aware of an incident in the media

There are many types of consumer devices in widespread use. This means that a vulnerability can affect thousands or even millions of these devices.

If you hear about an incident in the media and think it affects your device, you should first visit the manufacturer’s website to see if there’s information available on what you should do next. You may have to update your device manually, or there a patch may be made available.

You should also check the ICO’s website and social media, as well as the website of the National Cyber Security Centre, to see if there is any specific assistance that will help you.

Further advice on your consumer rights can be found at Citizens’ Advice, and on websites such as Which.