–Check your devices for vulnerabilities. Know the manufacturer and model numbers of your network connection devices, and search the internet to see if they have been discontinued, found to be vulnerable, or otherwise compromised. If internet commentary indicates they are “unsafe” you may be able to contact your ISP and ask for an update or a replacement. If you can update the firmware to your device, make sure the firmware is up-to-date.

–Disable remote administration. Network modems and routers frequently allow remote administration from the internet, protected by a username and password. First, make sure that remote administration is disabled, unless you have a significant need for it (or really trust your ISP). Remote management is often turned off by default, but discuss remote management options with your ISP if you need them. If remote management is enabled, make sure it is protected by a username and strong password that you create. A default username and password such as “admin” and “password” should be changed, unless there is a compelling reason to leave them alone.

–Be aware of network address translation. Network address translation, (NAT) is your primary line of defense protecting your home network. NAT configures your home’s local area network (LAN) to use “private” network addresses that do not work across the internet’s public wide area network (WAN). Your computers and devices on your home network use the private addresses internally to protect against external attacks from the internet. NAT also enables a device, such as a router, to translate the private addresses to public addresses so you can communicate between your home network and the internet. ISPs generally enable NAT for home networks by default; contact your ISP if you have questions or concerns.

–Configure network firewalls. Similarly, your router’s firewall should also be enabled by default. The firewall means your router will not respond if it is probed by the internet, except when those probes match certain allowed ports, protocols, or other patterns. The firewall may also provide additional protection like filtering what protocols can connect to the internet, and allowing or blocking certain remote internet addresses.

–Check wireless networking or Wi-Fi configuration. If your devices provide you with a home Wi-Fi hotspot (most do), check that configuration as well. More on this topic in the next section.

–Do not allow remote access. Many home routers allow remote access, so you can connect to your home network while you are on travel. While powerful, these features are easy to mis-configure to allow your home network to be “wide open” to attack. Be cautious if you choose to use these features.

–Become familiar with your Wi-Fi router’s administrative console. To check to see who is accessing your Wi-Fi you need to log into the router’s administrative console. If you have not already logged into your console, you will need to get your router’s IP address.

1. For Windows, enter “cmd” in the Start menu on your desktop and then type “ipconfig” in the Command Prompt window that appears.
2. Find the listing for the “Default Gateway” IP address. Frequently, it is “192.168.0.1” or “192.168.1.1” but it may be something else entirely.
3. In your web browser, type in the address “http://<IP address>” where “<IP address>” is the address you looked up in the previous step. If that does not work, try “https://<IP address>.”
4. You should then be prompted for a username and password. Frequently, the username is “admin” and the password is “password” but that may not be the case. The username and password may be printed on a label on the router, or contained in the router’s documentation.
5. After entering your credentials, look for something like “connected devices” to see what/who is connected to your Wi-Fi router. Look at the connected devices to determine if you recognize the users or devices.
6. If you think you have unauthorized users, change the Wi-Fi password and let the authorized users know the new password so they can access your network.
7. Alternatively, you can segment the unrecognized devices away from the main network by following the online instructions.

–Check your Wi-Fi protocols. Wi-Fi protocols have held up relatively well over time, but there are revisions to those protocols to correct bugs and improve security. Check your devices (e.g., computers, tablets, smart TVs, and printers) to determine if they support the standards used by your Wi-Fi router. Use the latest Wi-Fi protocol—802.11ac—where practical. Watch out for press coverage indicating that an older protocol is “unsafe.” If an older protocol is thought to be unsafe, consider disabling that protocol. Typically, if you are experiencing “poor” Wi-Fi connectivity or performance and have a combination of both new and old devices, consider upgrading to a new router that supports the latest Wi-Fi standards.

–Enable Wi-Fi security. Configure your Wi-Fi with security and encryption enabled, and choose the strongest available encryption. Today, the current encryption is “WPA2” (Wi-Fi Protected Access 2). WPA2 has vulnerabilities that are planned to be addressed in a future “WPA3” standard. When newer security standards come out, consider upgrading to them if possible.

–Configure a strong password. Configure a strong, but easy-to-remember, password for your Wi-Fi network. Network-connected devices like game systems, home assistants, or appliances may necessitate a simpler password than you might prefer. Strike a reasonable balance and change the password periodically.

–Segment your network. If you have older devices on your network that are not very secure, vulnerable, or require a less-secure Wi-Fi network configurations, consider setting up a separate “segmented” network. Many routers can support multiple Wi-Fi networks or can allow for primary and guest networks. Putting less secure devices onto a separate Wi-Fi network can reduce your risk, without impairing their ability to operate.

–Consider what is “in range.” To hack your Wi-Fi, an attacker must be within range of your access point. Typically, this range is less than a hundred feet, but the range depends on several factors. In a residential neighborhood, your range may only extend to the edges of your property, while in an apartment building your range may extend to more than a dozen neighbors. Hackers with directional antennas may be able to connect to your Wi-Fi from a mile away.

–Watch out for secondary networks. Some home devices may generate their own Wi-Fi networks, in addition to connecting to your home network. Be careful that these devices are not providing a backdoor into your supposedly secure network. When in doubt, segment these devices away from the main network.

–Periodically check your network. Using your Wi-Fi administrative console, you should occasionally check your network to make sure has not been changed without your knowledge. Your console should have a section related to your network protocols and security settings. You should check them to make sure they are still enabled and up-to-date. You should also check with your device manufacturer for updates to its firmware or configuration settings.

–Enable guest networking. Enable guest networking on your home network. If you have insecure network-connected devices or appliances, you may want to connect them to this network, rather than your regular home network. Check the guest network configuration to make sure it is segregated from your regular home network.

–Configure a guest password. Even though it is for guests, and is supposed to be “low security,” configure a password for your guest network. The password does not have to be too high-security but should be enough to prevent casual access to the network without your knowledge or permission.

–Periodically check your guest configuration. Periodically check and reset your guest network configuration and change its password. It is okay to ask visitors to setup their devices with a new password if they only come to visit once a year.

–Retire obsolete devices. As fun as it may be to have an original Xbox on your home network, some of these older devices have been retired for some time. The older devices are no longer supported by the manufacturer and frequently have unpatched vulnerabilities that may be exploited by attackers. Retire your obsolete multimedia or gaming consoles, or at least disable their internet access.

–Keep your devices up-to-date. These devices frequently have an auto-update feature, and some of the better ones make sure they are up-to-date before they allow you to use them (although when this feature fails you may be out of luck). Make sure your devices are up-to-date, install all recommended patches, and use caution if you see media coverage of a major vulnerability.

–Be aware of what accounts are on your devices. Smart multimedia devices can frequently include more than a dozen different applications with which you can have accounts and relationships. Many of these applications are paid, while others, like e-mail, may be free. Make sure you know which accounts you have on which devices, and whether those accounts include payment information or not.

–Pay attention to online gaming. It is easy to set up an online gaming account for your kids and, before you know it, find out you have given them your credit card and free reign to charge to it. Use extreme caution when enabling payment capabilities within online games and educate your kids on your rules regarding making in-game purchases.

–Put passwords on your multimedia devices. As inconvenient as more passwords might be, if you are concerned that kids, guests, friends, or service personnel might be abusing your multimedia devices, passwords might be necessary. Use the features built in to your devices to “lock them down” so they can not be abused.

–Inventory your smart devices. Understand the smart devices in your home, and how they connect. Your solar panel system may have its own wireless connection that plugs into your home internet. Think about smart appliances you installed years ago, or your kids’ toys that are network-connected. It is important to know what in your home is “smart,” how those devices connect inside and outside your home.

–Know your device protocols. For better or for worse, there are a myriad of home IoT device protocols and interfaces. While many devices use either Wi-Fi or Bluetooth (which are well-known) these communication protocols are hardly the only protocols for IoT connectivity. Understand what protocols your devices use. If those protocols are not mainstream Wi-Fi or Bluetooth, research them to make sure they are secure enough for your purposes.

–Watch out for the cloud. Some of the most remarkable smart device capabilities, like voice recognition, rely upon sending everything you say or do to “the cloud” for analysis. This analysis then determines if you are talking to your refrigerator or gesturing to your television, and what the device should do about that behavior. While these capabilities are not entirely bad—there is nothing wrong with your television knowing when you wave at it—it may also involve invading your privacy in ways that you are not quite ready to consider. Read the fine print in your device manual and make your own decision on what is acceptable. A smart TV watching you in the living room might be okay, while the same surveillance in your bedroom might not be okay. In addition, you may also wish to disable automatic content recognition (ACR) features. These smart device features track your personal viewing activity and share it with manufacturers and advertisers, often without your knowledge or consent.

–Secure your IoT devices. If you use smart locks from one of the major manufacturers, do some research on those devices to make sure they are secure enough. If you find reputable articles indicating those devices are not safe or secure, consider replacing or upgrading them. Alternatively, if the manufacturer has released an update to improve security, install it. Understand when you embrace the “smart” home, you also incur an obligation to protect the home, as well. You must pay attention to your devices and keep them up-to-date and secure.

–Retire insecure devices. Unfortunately, “smart” devices do not have the same life cycles as their non-smart siblings or brethren. While it may be just fine to have a thirty-year-old lock on your front door (provided it has been rekeyed within the past ten years) having a decade-old smart lock is probably not a good idea. If your smart devices are no longer supported, obsolete, or just plain out-of-date, go ahead and let them go.

–Manage your IoT risks. On the one hand, the press is going to sensationalize if a researcher finds a way to defeat an internet-connected lock. On the other hand, lock pickers have dozens of ways to defeat the typical home lock’s key and tumblers, and those techniques seldom get any press coverage at all. To say nothing of breaking a window or forcing an entry. Just because your IoT is less than perfect does not mean you should throw it out—just understand the risk and consider that risk alongside the other risks in your life.

–Do your research. Companies spend millions of dollars standing up internet-facing servers, databases, and applications, yet still get hacked. If you intend to enable these services, you need to consider devices, protocols, applications, interfaces, and authentication. A single mistake could be disastrous.

–Enable security and encryption. Enable the security features built into your internet-facing services and servers. Security features include encryption capabilities like Secure Sockets Layer (SSL) or Transport Layer Security (TLS)—along with server certificates—that provide communication security over a network. Once you have turned these features on, you will need to consider protocol versions for web browsing, e-mail, and other communications; corresponding vulnerabilities; and appropriate patches to keep them up-to-date and secure on an ongoing basis.

–Require authentication. Most likely if you are enabling remote access or running your own servers, they are for a closed community and not the public at large. To enforce this access restriction, you need to set up accounts for your users and authentication for those accounts. You also need to configure your systems to protect against password attacks like rainbow tables and brute force. You may also want to consider employing advanced, multifactor authentication.

–Regularly check logs and configurations. When you are internet-facing, you will be scanned daily by attackers using advanced automated tools to try to take over your systems. While these scans themselves are not a big deal, any exploit of your system is. Periodically check your logs and your configurations to make sure your system remains secure and is only being accessed by the expected users. Check your system documentation and the internet for guidance on which logs should be checked and how to check them.