5. Be careful about who handles your devices
Hu warns that smart device owners shouldn't let unauthorized personnel touch them, especially the devices with USB ports. "If you send high voltage to a particular port on the Google Nest," he says, "it will automatically reboot from the USB. This is kind of an intentional back door provided by Google Nest, but there are different kinds of attacks similar to this one."
Watch out for scammers who offer to fix or improve your devices, or unauthorized shops that say they can repair it. "If you bring it to people you don't know who say they can fix it for you, they could compromise it," Hu says. "I don't know if there's a hacker who's done it, but we have simulated this scenario."
6. Keep an eye on your bills
Hu says to be careful if you have a smart meter and automatic bill payment set up for your energy usage. In that case, monitor your meter readings regularly and compare them to your bill when you get it. "For example, if you rent an apartment, maybe your neighbor consumes more energy than you do," he says. "They could first rewire their own meters to reduce their readings, and then hack into your meter to increase them."
If there's a discrepancy between the total for the building reported by the meters and that recorded at the utility, they'll send someone out to check. "But if the sum of your and your neighbor's meters is the same as the actual usage, from the utility side they won't observe anything," Hu says.
7. Take standard Internet precautions
"Say you have a light switch, and you're controlling it with your phone," says Creighton. "When you push the button on your phone to turn off your lights, even though you're sitting in the same room with them, the signal may not be going directly to the device. It's probably going through the Internet."
Even if you trust the provider themselves, remember that it has all the information about when you're turning lights on or when you've set your thermostat to be cold — information that could be used to build a profile about when you're home. Be aware of the risks entailed in a compromise of that server.
Similarly, smart devices often provide a Web-based method of remote access. "If so, it's best if you only turn that functionality on when you actually need it, rather than leaving it on all the time," says Creighton. For example, you might not need to monitor your house as closely when you're at work as when you're on vacation.
Furthermore, treat your connected home system like your bank's website or other sensitive portal — don't leave the remote access open on a shared computer. "Maybe you're traveling and you left your laptop at home and you're at an Internet cafe," Creighton says. "That's not a safe place to access your bank account — or your home remote control video camera." If your remote access is on your phone, make sure your phone is secured with a password and then require a second password to log into your home-security system. Needing to log in twice is an inconvenience, but it gives you two layers of security should you lose your phone.
Sign up for CIO Asia eNewsletters.