What does my vacuum know about me? 10 tips on how to keep you personal data safe in a smart home
Up until a few decades ago, a digital future where homes are equipped with smart devices that can be remotely controlled and communicate with each other seemed like science fiction.
That has changed with the Internet of Things (IoT) technology.
The IoT protocol allows home appliances equipped with software, sensors, and an internet connection to collect and share data with each other. In other words, it gives devices the ability
According to Wired magazine, the first “smart” device was created for a technology fair, in 1990, by a software engineer who modified a toaster to control it from a computer.
The term Internet of Things was coined nine years later, when a Procter & Gamble employee included it in a presentation about optimizing supply chains. In 2000, LG launched the first smart home appliance – a refrigerator capable of keeping track of food and its expiration dates, that was even equipped with an MP3 player. The price tag? $20,000.
In a hurry? You can skip to what interests you most:
“Smart” lives, but at what cost?
The technological boom of the early 2000s has brought numerous innovations in many areas, from home appliances to revolutionary phones, and other devices that have radically transformed our lives.
It made it easier, but several dilemmas also arose: are we really safe surrounded by internet-connected devices that collect massive amounts of data about us, without us always knowing how it is being used by the corporations that gather them?
Questions such as “are they really stealing our data?”, “does the vacuum cleaner know where I live?”, „is the microwave listening to what I’m talking on the phone?” are asked by many users. Although viewed with amusement, the fears are valid, warn digital security experts.
On a technical level, companies can steal data from smart devices at any time, explains Alex Ștefănescu, programmer and Chief Technology Officer at the Association for Technology and the Internet (ApTI), in an interview for Panorama. In theory, legislation should protect us from such abuses. In practice, however, it’s not just companies that bear responsibility when security breaches occur.
“Sometimes it’s our own fault. For example, with cameras connected directly to the internet, which you can access from another location via a mobile app or a website, some people don’t change the factory default passwords. If they are not unique to each model sold, anyone who finds such a link and knows the standard password can access the camera’s video feed”, Ștefănescu explains.
These kinds of dangerous scenarios, she says, happen because users don’t follow through with the installation process and don’t read the instructions.
Internet of Things, a target for hackers
Security breaches in IoT devices are increasingly being used by people who want to do harm.
Data source: Cyber Threat Report
Hackers often use DDoS or Botnet attacks, as well as vulnerabilities in the operating systems of the devices, which allow them to take control or steal sensitive information.
Data source: State of IoT Summer 2024 Report
In addition, 51% of companies that have adopted IoT technology have planned budget increases for it last year.
The problem is so serious that it has even come to the attention of the World Economic Forum. The organization warns that IoT has become the target of the dark web, where hackers often exploit vulnerabilities that give them access to a huge number of victims.
One research made by Check Point Research and published in 2023 shows that 54% of organizations face such attacks on a weekly basis. Organizations in Europe are most affected by the phenomenon, followed by Asia-Pacific and Latin America. The study shows that hackers prefer easy targets, like companies that provide internet access services and institutions in education, which give them access to a large number of users.
In February 2025, an IoT security breach led to the leak of 1.17 TB of data, following an attack that targeted smart lighting devices produced by a Chinese company, according to HackRead. The leaked sensitive data included Wi-Fi passwords, IP addresses, email addresses, and more. One Palo Alto Networks research shows that 57% of IoT devices are highly vulnerable and 98% of the data they share is unencrypted.
Hackers are not the only ones we should be afraid of, Alex Ștefănescu says. There are also other kinds of dangers.
For example, sometimes these devices become temporarily unavailable due to an update. Although the scenario may seem harmless, an unavailability of even a few minutes can have serious consequences for equipment such as surveillance cameras or insulin pumps for diabetes patients.
Be careful who you allow access to your home devices
Another dangerous scenario, Ștefănescu explains, is that IoT devices can be used in cases of domestic violence or unwanted intrusions. “When we share access to such devices with our partner or roommates, we risk exposing ourselves to an invasion of privacy when those people are no longer welcome, but their access to the devices persists”.
The programmer talks about a known flaw in Alexa speakers. As long as the speaker is connected to both your account and your ex-roommate’s account, your ex-roommate could send you short audio messages through the speaker, like an intercom, even after they’ve moved out.
“The Amazon speaker records a few seconds after I get the message, as if I might reply. If someone sends me a five-second silent message, the speaker will record ambient noise and may expose my privacy to potential abuse”, she explains in the interview for Panorama.
Amazon recently removed a security option from its Echo smart speakers. Now, users can no longer choose not to have their voice recordings sent to Amazon or saved.
We also recommend:
Frenemies: Artificial Intelligence is already influencing our behavior. How do we keep it in check?
Design and regulation are the first line of defense
Data security needs to become a priority for tech companies, as the digital environment expands.
An effective approach is the privacy by design principle, which aims to protect users and their data through deliberate choices companies make when designing their devices.
- Manufacturers should anticipate invasive scenarios and integrate design solutions to prevent them.
- They should implement “filters” that prioritize data protection throughout the product design, capable of working throughout the product lifetime, such as end-to-end encryption.
- They should integrate data security considerations since the beginning of every project and conduct detailed studies to understand how their products could affect users.
- Data collection should be limited from the start so that devices only collect and store a small amount of information.
The “Security Issues for Internet Appliances” study, published on the University of Cambridge website, analyzes the security of IoT devices and proposes solutions to improve it:
- Cyclical Suicide architecture, which prevents malware from permanently infecting devices during upgrades.
- Implementation of remote intrusion detection systems.
- The need to integrate the security of IoT devices from the design stage, as this is a complex issue that goes beyond the technological sphere.
Privacy by design puts users security first and can be continuously adapted to new regulations as technology evolves.
The GDPR regulation also provides strong levers to prevent abuse by tech companies. While comprehensive, since its implementation in 2018, it has often been demonized by the public, being perceived as a hindrance. Small companies are hit the hardest because they can’t pay the fines, while large companies frequently break the rules and assume the penalties. Sometimes, the regulation is also used to prevent journalists from accessing information of public interest, so it is misused, Ștefănescu explains.
The expert also points out to a perception problem in society: although legislation protects in various areas, there is widespread distrust of regulations that are perceived as corrupt, and civic engagement is low.
“The citizen must also contribute to regulation, by assuming greater participation. There are public debates where specialist expertise is valuable. There are also ways in which citizens can influence power, such as petitions or requests for information. This should be an ongoing activity”, says Stefănescu.
Problems also occur because many of the people who end up dealing with these regulations are not necessarily IT specialists, she points out.
10 tips: how to protect yourself against IoT’s security risks
Security problems with smart devices often start with users who don’t set them up or use them correctly and, this way, leave them exposed to abuse.
Here are some rules for using IoT devices safely, no matter what type they are:
- Read the user manual. Make sure you go through the document, you understand how your device works, and what it is capable of. This will help you better assess potential security risks.
- Suitable settings. Explore the device’s menu and make sure the settings are right for your needs. If you know a device doesn’t need location tracking to work, turn it off. Allow only the collection of strictly necessary data. This way, you will limit both abuse by companies and the risk of a cyber attack.
- Strong passwords. Change your default passwords to personalized, complex ones – use capital letters, numbers, and special characters. It’s much easier to crack “lollipop” than “aT45*%up”. Ideally, change passwords regularly.
- Two-factor authentication (2FA). Each time you log in you will need a code generated automatically on your phone or other device. This makes it more secure than a password you use repeatedly.
- Software updates. Don’t overlook updates – they often fix security vulnerabilities and help you better protect your device.
- Encryption. If there are options about this in the menu, enable them – they make the data hard to read. When surfing the web via your browser, check if the web address starts with “https://”, a sign that you have a secure connection.
- Network access. Limit device access to the network – either through a firewall or network segmentation. These limitations will allow only partial data exchange with the network.
- Devices from well-known companies. Stay away from smart devices produced by obscure companies you know little about. Big manufacturers tend to comply more strictly with security regulations and standards.
- Get informed and check the settings regularly. If you have suspicions, look for information about possible security incidents related to your device, they are usually reported by companies or publications. Check your settings regularly.
- „Digital hygiene”. Always determine whether you really need a new gadget. If you choose to use IoT devices, learn how they work and don’t accept all settings automatically. Pay attention to your online behavior and practice a “digital hygiene” that puts data protection first.
Decades ago, we dreamed of having our homes like the Jetson’s family digitized home. Even if that future is still a long way off, now the fridge can get online by itself, we address our speakers as we do with a friend, and we put our vacuum cleaners funny names in the apps we control them with.
But it all comes with concerns about data security, dealing with potential problems, and the question of how much access we give the gadgets to our private lives.
Digitizing our lives has made us smarter, but more vulnerable. We can only protect ourselves if we remain vigilant and “technologically literate”.
Poto credit: Piotr Adamowicz / Dreamstime.com
Articol editat de Ioana Moldoveanu
