Can smart devices be a security risk?
Smart devices are now common in homes, offices, schools, clinics, shops and shared workspaces. They can include routers, cameras, printers, smart TVs, thermostats, door entry systems, voice assistants, NAS devices, lighting systems and other equipment connected to a network.
This guide explains why these devices can become part of the security picture, how attackers may misuse poorly protected devices, and what practical steps reduce the risk without treating every device as a crisis.
Supporting visual reference. This image summarises the topic at a high level. The written guide below provides the full explanation and practical guidance
Browse this guide
Use the links below to jump to the section most relevant to your question.
- What counts as a smart device?
- Why smart devices can create security risk
- What the aquarium thermostat example shows
- How compromised devices can be used in wider attacks
- Why network segmentation matters
- Practical steps to reduce risk
- What this does not mean
- Further reading
- Further Guidance and Support
What counts as a smart device?
A smart device is any device that connects to a network to send or receive data, even if its main purpose is not computing. In a home or office environment, this can include equipment that is visible to users as well as equipment managed by suppliers, facilities teams or installers.
Examples include routers, wireless access points, printers, CCTV cameras, smart TVs, thermostats, door entry systems, voice assistants, NAS devices, video recorders, lighting systems, environmental sensors and other internet connected equipment.
The security issue is not that every connected device is unsafe. The issue is that these devices are sometimes added to networks without the same review, update planning or access control applied to laptops, servers and cloud accounts.
Why smart devices can create security risk
Many smart devices are designed to perform a narrow task. A printer prints, a camera records, a thermostat controls temperature, and a smart TV displays content. Because the visible function continues to work, it can be easy to overlook whether the device is still supported, updated, monitored or correctly separated from more sensitive systems.
A device may create risk when it uses default credentials, has outdated firmware, exposes remote access, receives no further security updates, or sits on the same network as business systems it does not need to reach.
Recent NCSC guidance highlights that compromised routers, IoT devices, smart devices, firewalls and NAS devices have been used in large scale covert networks. Many of the vulnerable edge devices described in the advisory were end of life and no longer receiving security updates.
The practical lesson is simple. Connected devices should be known, maintained and placed appropriately on the network. A small device should not be ignored simply because it seems less important than a laptop or server.
What the aquarium thermostat example shows
One widely reported example involved an unnamed casino where attackers reportedly used an internet connected thermometer in a lobby aquarium as a way into the network. The important lesson is not the fish tank itself. The lesson is that a low profile connected device can become relevant if it is connected to the same environment as more sensitive systems.
This example is useful because it shows how risk can sit outside the obvious places. A business may focus on computers, payment systems, email accounts and firewalls, while overlooking equipment installed for facilities, monitoring, display or convenience.
The issue is often ownership. IT may manage computers and servers. Facilities may manage cameras, thermostats and access systems. Suppliers may install equipment with remote access. If no one has a full view of what is connected, small devices can fall between responsibilities.
This external video provides a useful narrative explanation of the aquarium thermostat example.
How compromised devices can be used in wider attacks
A compromised smart device may be used in different ways depending on the environment and the attacker’s objective. It may provide a foothold, help scan other systems, relay traffic, communicate with malware, or take part in wider attacks against other organisations.
The NCSC advisory explains that covert networks can be used across several stages of malicious activity, including reconnaissance, malware delivery, command and control, and data exfiltration. This matters because traffic may appear to come from ordinary internet connected devices rather than from a clearly suspicious source.
This is one reason static blocking alone is not enough. Blocking known bad IP addresses can help, but the list of bad sources can change quickly. Better protection also depends on knowing what is connected, limiting unnecessary access, reviewing remote access, and monitoring unusual behaviour where practical.
Why network segmentation matters
Network segmentation means separating devices or systems so that they do not all have the same level of access. This is especially important where a device needs internet access but does not need access to business files, servers, management portals or other trusted systems.
For example, a smart TV in a meeting room may need internet access for streaming or screen sharing, but it usually does not need access to file shares or administration systems. CCTV cameras may need to communicate with a recorder or cloud service, but they do not normally need broad access to office computers. Guest WiFi should not usually provide access to internal systems.
Segmentation does not make every risk disappear. Its purpose is to limit what a compromised or poorly configured device can reach. If one device becomes a problem, the rest of the environment should not automatically be exposed.
Practical steps to reduce risk
Reducing smart device risk starts with visibility. A device cannot be managed properly if no one knows it exists, who installed it, whether it is still supported, or what network access it has.
Useful steps include:
- Keep an inventory of routers, access points, printers, cameras, smart TVs, NAS devices, thermostats and other connected equipment.
- Record who owns or manages each connected device, especially where a supplier, installer or facilities contractor was involved.
- Replace unsupported or end of life devices where reasonable.
- Change default passwords and avoid shared administrator credentials.
- Keep firmware updated where updates are available.
- Disable unused remote access features.
- Use separate networks or VLANs where appropriate.
- Avoid placing guest, IoT and business devices on one flat network.
- Review supplier access and remove access that is no longer needed.
- Use DNS filtering and endpoint protection as part of a wider layered approach.
- Protect management portals with strong authentication where available.
- Review logs or alerts where the firewall, router or management system provides them.
These measures are not a one time checklist. Devices change, suppliers change, firmware becomes unsupported, and business systems evolve. Smart device security should therefore be reviewed periodically as part of wider IT support and security planning.
What this does not mean
This does not mean every smart device is unsafe. It does not mean organisations should avoid all smart equipment. It does not mean a firewall alone solves the problem. It also does not mean a single checklist will remain complete forever.
The purpose is proportionate risk reduction. Useful smart devices can still be used, but they should be understood, updated where possible, separated where appropriate, and included in the wider security view.
Good security is layered. It depends on devices, accounts, networks, people, suppliers, monitoring and recovery planning working together over time.
Further reading
The following sources may be useful if you would like to explore the standards, terminology, and real world examples in more detail.
- NCSC: Defending against China nexus covert networks of compromised devices
- NCSC: Preventing lateral movement
- NCSC: 10 Steps to Cyber Security: Network security
- NCSC: Managing the risks from obsolete products
- Business Insider: Hackers once stole a casino’s high roller database through a thermometer in a lobby fish tank
- Cloudflare: What is the Mirai botnet?
- Palo Alto Networks Unit 42: 2020 IoT Threat Report
- Wired: Hackers remotely kill a Jeep on the highway
Further Guidance and Support
This guide forms part of a broader layered security approach. For structured guidance on security and resilience planning, see our Security and Resilience page.
For information about practical implementation and ongoing support, you can review our IT services and local IT support coverage across London, Hertfordshire, and Essex.
Author
Elías Sánchez
IT Support Consultant
Evening Computing
London, United Kingdom
This guide was prepared by Elías Sánchez with research and drafting assistance from AI tools. All technical content has been reviewed and adapted for clarity and accuracy.
Last reviewed
07 May 2026