In 2019, a researcher found that LIFX smart bulbs were storing WiFi passwords without any encryption whatsoever. So by chucking one of these bulbs in the trash, you’d essentially make breaching your WiFi network as simple as dumpster-diving. It’s unclear whether or not the company has addressed this issue since then.
Even secure devices can be compromised by another device on the same network—like a Trojan horse. With multiple linked gadgets controlled by the same app, one compromised device can potentially reconfigure all of them. Someone could even grab your phone and unlock your whole house while you’re in the bathroom.
Poorly secured IoT devices can even become weapons in the wrong hands. Well-known cybersecurity expert Brian Krebs, for example, found himself fighting off a botnet in 2016 that largely consisted of cheap internet-connected cameras with poor security.
Before you buy an internet-connected device, smart or not, make sure you learn its security features, setup process, and settings. If it uses a web portal, see if that portal has an “https” prefix that marks it as secure. Also find out if the site uses Transport Layer Security, or TLS, to ensure secure communications between applications, especially if it’s sharing your personal information. Without these countermeasures, someone could hijack your data in transit.
If the gadget uses an app, research what permissions the manufacturer wants and what they do with the data they collect. Then, only download apps from first-party app stores. Apple bakes malware scans and developer background checks into its app verification process, while Google has an internal program that scans apps for malware and marks them as verified by Google Play Protect.
Source : https://www.popsci.com/smart-gadget-security/