Critical mitigations

Change default passwords

Reduces risk from: credential stuffing, brute-force attacks, Mirai-style botnets.

Applies to: cameras, doorbells, routers, smart plugs.

How to:

  • Do not keep factory defaults.

  • Use a unique, strong password generated by a password manager.

  • For devices without password protection, segment them on a guest network.

Disable unused features

Reduces risk from: eavesdropping, unauthorised recordings, data leaks.

Applies to: smart TVs, voice assistants (Alexa, Google Home), robot vacuums.

How to:

  • Smart TVs: disable voice control and ambient mode (Samsung, LG settings).

  • Alexa/Google Home: use the hardware mute switch when not in use.

  • Robot vacuums: disable cloud mapping if local storage is available.

Block internet access

Reduces risk from: remote exploits, firmware hijacking, data exfiltration.

Applies to: smart lights, thermostats, fridges, and most appliances.

How to:

  • Router: use client isolation or VLANs (ASUS, TP-Link guest network settings).

  • Firewall rules: block devices from WAN access (UniFi, pfSense).

  • Offline mode: use Zigbee or local-only devices where possible (Philips Hue with local hub).

Smart TV lockdown

Risks: malvertising, built-in cameras or microphones, unpatched firmware.

Steps:

  1. Disable ACR (Automatic Content Recognition):

    • Samsung: Settings → Support → Terms & Policies → disable “Viewing Information”

    • LG: Settings → All Settings → General → About This TV → turn off “Live Plus”

  2. Block telemetry with Pi-hole or router DNS filtering (block samsungads.com, lgad.cdn.lge.com).

  3. Use a streaming stick on a separate network to contain risk.

Camera security

Risks: live feed exposure from credential reuse, weak or absent encryption.

Steps:

  1. Enable end-to-end encryption:

    • Google Nest: Settings → Camera → “End-to-end encryption”

    • Eufy: enable “Local Storage Mode”

  2. Two-factor authentication on all camera apps.

  3. Physical privacy: lens covers rather than software-only off switches. Point cameras away from private areas.

Devices worth avoiding

  • No-name brands with no documented security or update history.

  • Devices requiring proprietary cloud services with no local control option.

  • Smart locks without physical key override.

Defence in depth for IoT

  • Network segmentation: IoT on a dedicated VLAN.

  • Firmware updates: enable auto-updates or check monthly.

  • Traffic monitoring: Wireshark or Fing for detecting unusual outbound connections.