Internet of Things Security: Network Protection for Smart Homes

Searching for Internet of Things antivirus solutions? You cannot install traditional antivirus software on smart lightbulbs, thermostats, or security cameras. These devices run stripped-down operating systems that don’t support endpoint security software.

However, your smart home isn’t defenceless. Internet of Things security relies on network-level protection rather than device-based software. This guide explains how to properly secure connected devices in UK homes, including the PSTI Act 2022, which has changed the security requirements for smart devices.

This article covers technical limitations, network-level security solutions, UK legal protections, ISP-specific router configurations, and hardware security appliances, providing comprehensive protection without the need for per-device software installation.

The Internet of Things Antivirus Limitation

Traditional antivirus software operates at the endpoint level, monitoring files and processes on Windows, macOS, or mobile operating systems. Internet of Things devices, however, function differently from conventional computers.

The vast majority of Internet of Things devices run Real-Time Operating Systems (RTOS) or stripped-down Linux variants. These are closed environments optimised for specific functions rather than general computing. A Philips Hue bridge, for instance, contains just enough processing power to control lighting protocols. There’s no file system you can access to run a virus scan, no installation mechanism for security software, and insufficient memory to support traditional antivirus operations.

Why Traditional Security Software Won’t Work

Smart devices prioritise three characteristics that make conventional antivirus impossible: minimal processing overhead, predictable real-time responses, and extended battery life where applicable. Installing monitoring software would contradict these design principles.

Consider a smart doorbell. It must instantly detect motion, capture video, and send notifications whilst running on battery power for months. Adding background security scans would drain the battery within days and introduce latency, making the device unreliable. Manufacturers deliberately limit these devices to essential functions only.

The Real Threat: Lateral Network Movement

Attackers rarely target Internet of Things devices for their own sake. A compromised smart kettle holds no valuable data. Instead, hackers exploit these devices as entry points into home networks.

Once an attacker gains access to a vulnerable smart device, they perform lateral movement through your network. They scan for other connected devices, searching for computers, phones, or network storage devices that contain financial information, personal documents, or login credentials. The smart device serves as a beachhead for accessing more valuable targets.

The National Cyber Security Centre documented this threat pattern in their 2024 IoT Security Report, noting that 73% of successful home network breaches originated from compromised Internet of Things devices rather than direct attacks on computers.

Network-Level Security as Modern Protection

In 2025, your router functions as your Internet of Things antivirus. Security must shift from individual devices to the network infrastructure that connects them.

Network security appliances monitor all traffic flowing through your home network. When your smart fridge attempts to transmit 5GB of data to an unknown server in a suspicious location, the network can terminate that connection immediately, even though the refrigerator itself lacks awareness of the breach.

This paradigm shift moves protection from impossible (device-level software on closed systems) to practical (network-level monitoring and access control).

Understanding Internet of Things Security Risks

Unsecured Internet of Things devices create multiple vulnerability points within home networks, with consequences ranging from privacy violations to complete network compromise.

Security Risks from Low-Cost Devices

Discount Internet of Things hardware often lacks basic security measures. Many unbranded manufacturers prioritise cost reduction over security investment, shipping products with known vulnerabilities, outdated firmware, and no update mechanisms.

Research from the University of Cambridge in 2024 found that 89% of Internet of Things devices priced under £15 contained at least one critical security flaw at the time of purchase. These included hardcoded passwords in firmware, unencrypted data transmission, and backdoor access methods.

Chinese-manufactured devices sold through budget marketplaces present particular concerns. Without established UK or EU support channels, these devices never receive security patches. When vulnerabilities emerge, users have no recourse beyond replacing their device.

Data Exposure Through Connected Devices

Internet of Things devices collect substantial personal information. Smart speakers record voice commands. Security cameras capture video of your property and family. Smart thermostats learn your daily routines. This data becomes accessible if devices are compromised.

The Information Commissioner’s Office investigated multiple cases in 2024 where poorly secured Internet of Things devices led to personal data breaches. One incident involved a family’s private conversations being recorded and uploaded to an unauthorised server after their smart speaker was compromised through exploitation of the default password.

Smart TVs present particularly complex risks. Most modern televisions run Android-based operating systems with multiple internet-connected features. A compromised smart TV can access your home network while simultaneously monitoring your viewing habits, potentially accessing your streaming account credentials, and in some cases, activating built-in cameras or microphones.

The Smart Speaker Privacy Concern

Amazon Echo, Google Home, and similar devices maintain constant network connectivity and active microphones. Whilst manufacturers implement encryption and privacy controls, these devices represent potential surveillance tools if security is breached.

The National Cyber Security Centre recommends placing smart speakers on isolated network segments, away from computers used for banking or work purposes. This limits potential damage if a speaker is compromised, preventing attackers from using it to scan for more valuable network targets.

UK Smart Device Security: Legal Requirements Under PSTI Act 2022

On 29 April 2024, the Product Security and Telecommunications Infrastructure Act came into full force across England, Scotland, Wales, and Northern Ireland. This legislation fundamentally changed the security requirements for every Internet of Things device sold in the UK, providing legal protections that are unavailable to consumers in most other countries.

The PSTI Act establishes three mandatory security requirements that manufacturers must meet before selling Internet of Things devices in the UK market. These requirements address the most common vulnerabilities that attackers exploit when compromising smart home networks.

Prohibition of Default Passwords

Manufacturers can no longer ship devices with factory-set passwords such as “admin”, “12345”, or “password”. Every Internet of Things device must either have a unique password assigned during manufacturing or require the user to create a password during initial setup.

This requirement directly addresses the exploitation method used in the Mirai botnet attacks, where hackers compromised millions of devices by trying common default password combinations. The Office for Product Safety and Standards enforces this requirement, with non-compliant devices subject to removal from UK retail channels.

Mandatory Vulnerability Disclosure

Manufacturers must provide a clear, accessible method for security researchers to report discovered vulnerabilities. This creates a formal channel for identifying and addressing security flaws before they can be widely exploited.

Companies selling Internet of Things (IoT) devices in the UK must publish contact information specifically for reporting security vulnerabilities. They must acknowledge reports and provide reasonable timelines for addressing confirmed issues. This requirement ensures security problems are discovered and fixed faster than in markets without such regulations.

Guaranteed Security Update Period

At the point of sale, manufacturers must clearly state the minimum duration the device will receive security updates. This allows consumers to make informed decisions about the long-term security implications of their purchases.

When purchasing Internet of Things devices from Amazon UK, Currys, Argos, or other UK retailers, look for the “Security Update Support” statement in the product listing. If a manufacturer only guarantees updates for 12 months, that device becomes a security liability by the 13th month. Avoid such products regardless of price, as the savings today create vulnerability costs tomorrow.

Practical Application for UK Consumers

The PSTI Act shifts responsibility from consumers to manufacturers, but you must still verify compliance. Before purchasing any Internet of Things device:

Check the product packaging or online listing for the three required security statements. Contact the manufacturer if this information is absent. Report non-compliant devices to the Office for Product Safety and Standards through their online reporting system.

The Information Commissioner’s Office provides complementary guidance on Internet of Things privacy under UK GDPR requirements, covering how manufacturers must handle personal data collected by connected devices.

Network-Level Internet of Things Security Solutions

Protecting Internet of Things devices requires a layered security approach implemented at the network level, where monitoring and access control can be enforced regardless of individual device capabilities.

Tier 1: Device Security Fundamentals

Every Internet of Things device requires a baseline security configuration before network connection. These measures provide the first line of defence against unauthorised access.

Create unique, complex passwords for each device using a password manager such as 1Password or Bitwarden. Never reuse passwords across devices. A compromise of one device should not provide access to others. Passwords should contain at least 15 characters, mixing letters, numbers, and symbols where device interfaces allow.

Enable Multi-Factor Authentication on all smart home apps, including Ring, Nest, Hive, and manufacturer-specific control applications. MFA requires a second verification method beyond passwords, typically through an authenticator app such as Google Authenticator or Microsoft Authenticator. Avoid SMS-based MFA where possible, as SIM-swapping attacks can compromise phone-based authentication.

Establish a firmware update schedule for Internet of Things devices. Unlike computers with automatic updates, many smart devices require manual firmware checks through their control apps. Review the firmware status of all connected devices monthly. If a device hasn’t received updates in six months, investigate whether the manufacturer has discontinued support.

Ring doorbells receive updates through the Ring app’s Device Health section. Nest thermostats and cameras check for updates in Settings under Software Update. Philips Hue updates occur through the Hue app when the bridge is selected. Samsung SmartThings devices update through the SmartThings app Device Settings menu.

Tier 2: Network Segregation Strategies

Separating Internet of Things devices from personal computers and phones prevents compromised smart devices from accessing sensitive information on other network-connected equipment.

Most modern UK ISP routers support guest network functionality, which creates a separate wireless network with isolated access. However, effective Internet of Things security requires understanding the distinction between guest networks and proper device isolation.

Guest networks traditionally provide internet access to visitors without granting access to your internal network resources. This works adequately for basic Internet of Things security. Still, advanced protection requires Virtual Local Area Networks (VLANs), which create true network segments that cannot communicate with each other even when physically connected to the same router.

For most UK households, implementing a guest network dedicated solely to Internet of Things devices provides substantial security improvement over single-network configurations. Connect all smart devices to the guest network whilst keeping computers, phones, and tablets on the main network. This prevents lateral movement between device categories.

Traffic monitoring becomes crucial when managing segregated networks. Modern routers log network activity, displaying which devices communicate with external servers, the amount of data they transmit, and when unusual activity occurs. Regularly review these logs for anomalies such as smart devices transmitting data at unexpected times or connecting to unfamiliar IP addresses.

Tier 3: Hardware Security Appliances

Hardware security appliances offer comprehensive network protection without requiring the installation of per-device software. These devices sit between your modem and router, monitoring and controlling all network traffic.

Bitdefender BOX offers dedicated Internet of Things protection through hardware-level network security. The device costs £199 upfront with an annual subscription of £99. It protects an unlimited number of devices simultaneously, detecting and blocking malicious connections before they reach individual Internet of Things devices. Bitdefender BOX identifies unusual device behaviour, such as a smart camera attempting to connect to unauthorised servers, and terminates those connections automatically.

The system operates by inspecting all network packets that flow through your home internet connection. Machine learning algorithms compare device behaviour against known threat patterns, identifying compromises even when devices themselves lack security software. UK availability includes Amazon UK, Currys, and direct purchase from Bitdefender UK.

Firewalla Gold offers advanced network security with one-time purchase pricing of £389, eliminating ongoing subscription fees. It supports comprehensive VLAN configuration for sophisticated network segmentation, offers deep packet inspection for detailed traffic analysis, and includes intrusion detection capabilities.

Firewalla’s strength lies in customisability. Users can create specific rules governing the behaviour of Internet of Things devices, blocking unnecessary outbound connections while permitting legitimate communications. The device supports multiple network interfaces, enabling complex configurations where different device categories occupy completely isolated network segments.

Modern routers from ASUS, Netgear, and TP-Link are increasingly equipped with built-in Internet of Things (IoT) protection features. ASUS AiProtection comes free with compatible routers, providing basic malware blocking and suspicious connection detection. Netgear Armor costs £69.99 annually but offers commercial-grade protection powered by Bitdefender technology. TP-Link HomeCare includes similar features on select models without additional subscription costs.

These router-based solutions offer sufficient protection for most UK households, particularly when combined with effective network segregation. However, they offer less granular control than dedicated security appliances and may slow network performance on older hardware.

Securing UK ISP Router Hardware

Your Internet Service Provider’s router forms the primary barrier between your home network and external threats. However, UK ISP-supplied hardware often ships with security limitations that require immediate correction.

BT Smart Hub 2 and Smart Hub 3 Configuration

BT’s Smart Hub series offers a solid baseline security, but requires specific configuration changes for optimal protection of the Internet of Things.

Access the router administration interface by navigating to 192.168.1.254 in your web browser. The default admin password appears on a label affixed to the router’s base. Change this password immediately in Advanced Settings under Administrator Password.

Navigate to Advanced Settings, then Wireless to configure network security. Ensure encryption is set to WPA3-Personal if your Smart Hub 3 supports it; otherwise, use WPA2-PSK (AES). Disable WPS (Wi-Fi Protected Setup) as this feature contains known security vulnerabilities that attackers exploit.

Enable the guest network by navigating to Advanced Settings, then selecting Home Network, and finally, Guest Network. Configure this as your dedicated Internet of Things network. Set a separate password distinct from your main network credentials. Disable guest network access to your home network resources in the isolation settings.

BT Smart Hub 3 includes “Block Unsafe Internet Sites” functionality under Advanced Settings in the Security section. Enable this feature for basic malware domain blocking. BT automatically updates firmware on Smart Hub devices, but verify your current version in Settings under About to ensure updates are occurring properly.

Sky Hub and Sky Max Hub Setup

Sky’s router range requires a similar security configuration with specific interface differences.

Access the Sky Hub administration panel at 192.168.0.1. The default admin password appears on the router’s label. Immediately change this in Settings under Admin Password.

Navigate to Settings, then Wireless Settings, then Security Settings. Verify WPA2-PSK encryption is enabled. Sky Hub 4 and Sky Max Hub support automatic firmware updates, which occur overnight when the router is not actively in use. Check Settings, then About, then Software Version to confirm your router runs current firmware.

Enable MAC address filtering for Internet of Things devices through Advanced Settings. This creates a whitelist of approved device hardware addresses, preventing unauthorised devices from connecting even if they obtain your network password. Note the MAC addresses of all Internet of Things devices (found in their respective configuration menus) and add them to the allowed list.

Sky’s “Stay Safe” service offers basic internet security, but its primary focus is on child safety rather than protecting the Internet of Things. For comprehensive security, rely on network segregation and hardware security appliances rather than Sky’s built-in features.

Virgin Media Hub 4 and Hub 5 Security

Virgin Media’s cable internet service offers high-speed connectivity, but it requires careful security configuration.

1. Access the Virgin Media Hub at 192.168.0.1. The default password appears on the router label. Change this immediately under Advanced Settings in the Admin section.
2. Navigate to Advanced Settings, then Wireless, then Security. Confirm WPA2-PSK (AES) encryption is active.
3. Create a separate 2.4GHz network exclusively for Internet of Things devices. Many smart devices only support 2.4GHz frequencies. Configure this through Advanced Settings under Wireless Settings.

Virgin Media Hub 5 supports automatic firmware updates. Verify updates are enabled in Settings under Software Update.

TalkTalk WiFi Hub Security

TalkTalk’s router requires particular attention to security configuration as some models ship with relatively basic features.

1. Access the router at 192.168.1.1 using the default password from the router label. Change this password immediately under Settings in the Password section.
2. Enable WPA2-PSK encryption under Wireless Settings if not already active. Configure a guest network for Internet of Things devices in the Wireless section under Guest Network settings.

TalkTalk routers receive automatic firmware updates; however, you can manually check for pending updates in Settings under Router Software. If your TalkTalk router is more than three years old, consider requesting a replacement from TalkTalk customer service, as older models may lack modern security features.

When to Replace ISP-Supplied Hardware

If your ISP router lacks WPA3 support, guest network functionality, automatic firmware updates, or VLAN configuration for advanced users, consider purchasing a third-party router with comprehensive security features.

Models such as ASUS RT-AX86U, Netgear Nighthawk AX8, and TP-Link Archer AX6000 provide advanced security features unavailable on most ISP hardware. These routers support multiple isolated networks, sophisticated access controls, and integrated security services specifically designed for protecting the Internet of Things.

Managing End-of-Life Internet of Things Devices

When manufacturers discontinue security updates, Internet of Things devices become permanent network vulnerabilities. Traditional antivirus software cannot address this problem, requiring alternative management strategies.

End-of-life devices present unique security challenges. Without ongoing firmware updates, newly discovered vulnerabilities remain unpatched indefinitely. Attackers specifically target discontinued devices because exploits continue to work permanently once they are discovered.

Identifying Discontinued Devices

Check manufacturer product pages for “End of Support” dates or discontinuation notices. Devices purchased more than three years ago, without recent firmware updates, are likely to receive no ongoing support. Defunct manufacturers whose companies have ceased operations leave all their devices unsupported.

Contact manufacturers directly if support status is unclear. Request specific information about planned security update timelines. If a manufacturer cannot provide a concrete support roadmap, consider the device unsupported.

The PSTI Act 2022 requires manufacturers to state security update periods for new devices clearly, but does not retroactively cover older purchases. Devices purchased before April 2024 may not be covered by such guarantees.

Security Options for Unsupported Devices

Replace devices handling sensitive functions immediately. Security cameras, smart locks, garage door controllers, and video doorbells warrant replacement when support ends, as these devices directly impact physical security and privacy.

For less critical devices, such as smart plugs or lighting controls, network isolation provides an acceptable level of risk management. Move unsupported devices to a completely separate network VLAN with zero access to personal computers, phones, tablets, or network storage. Configure router rules preventing this isolated network from accessing other network segments.

Monitor isolated devices closely through router logs. Watch for unusual traffic patterns, unexpected external connections, or abnormal data volume. These indicators suggest potential compromise requiring immediate device disconnection.

Disable non-essential devices when practical. Smart devices that provide convenience rather than essential functionality can be simply disconnected from networks and used manually. Smart plugs function as regular power outlets. Smart bulbs work as standard lights when wall switches control them.

Long-Term Device Lifecycle Planning

The PSTI Act’s update guarantees requirements that enable informed purchase decisions. When buying Internet of Things devices, factor the security update period into the total cost of ownership.

A £50 device with two years of guaranteed updates costs effectively £25 per year of secure operation. A £100 device with five years of support costs £20 annually. The more expensive device provides better long-term value through an extended secure lifespan.

Prioritise manufacturers with strong security track records. Companies such as Ring (Amazon), Nest (Google), and Philips consistently provide extended support for older devices. Research a manufacturer’s history of update provision before purchasing their products.

Create a device inventory spreadsheet that documents purchase dates, support expiration dates, and the dates of the last firmware updates. Set calendar reminders for quarterly security reviews, checking each device against current support status and planning replacements for approaching end-of-life devices.

Practical Internet of Things Security Implementation

Implementing comprehensive Internet of Things security requires a systematic approach across multiple protection layers. This checklist provides immediate action items alongside longer-term security improvements.

Immediate Security Actions

Change default passwords on all Internet of Things devices currently connected to your network. Use unique passwords for each device and store them in a password manager. Never reuse passwords between devices.

Enable Multi-Factor Authentication on smart home apps controlling cameras, locks, garage doors, or security systems. Download an authenticator app if you haven’t already and configure it for all compatible services.

Check your router’s current firmware version and install any available updates. Navigate to your router’s administration interface and locate the firmware update section. Apply any pending updates immediately.

Verify your wireless network uses WPA2-PSK (AES) or WPA3-PSK encryption. Access your router settings and check the wireless security configuration. If you are using older WEP or WPA encryption, upgrade your router immediately or replace it if it doesn’t support modern encryption standards.

Weekly and Monthly Security Tasks

1. Review network activity logs weekly in your router administration interface. Look for Internet of Things devices connecting at unusual times, transmitting unexpected data volumes, or communicating with unfamiliar IP addresses.
2. Check smart home apps weekly for firmware updates. Many Internet of Things devices don’t automatically update, requiring manual checks through manufacturer apps.
3. Document all devices connected to your network on a monthly basis. Create a spreadsheet that lists device names, types, manufacturers, purchase dates, and the dates of the last firmware updates.
4. Verify PSTI Act compliance for recently purchased devices. Check new Internet of Things products include unique or user-set passwords, vulnerability disclosure information, and guaranteed security update periods.
5. Research security update schedules for all Internet of Things devices. Visit manufacturer websites to confirm ongoing support. If a device hasn’t received updates in six months, investigate whether support has ended.

Quarterly Network Audit

1. Consider hardware network security solutions if your Internet of Things device count exceeds ten items. Hardware appliances provide centralised protection that’s more manageable than individual device security.
2. Identify devices approaching end-of-support dates. Plan replacements for security-critical devices. Determine isolation strategies for less critical devices.
3. Configure detailed router security settings following ISP-specific guides above. Dedicate time to implementing guest networks, changing default credentials, and enabling available security features.
4. Set calendar reminders for annual security reviews to ensure your Internet of Things security strategy remains current.

Advanced Protection Strategies

For users comfortable with networking, VLAN segmentation provides maximum security. VLANs create true network isolation where Internet of Things devices exist in separate network spaces from personal devices.

1. Configure DNS filtering through services such as NextDNS or Pi-hole. These systems block malicious domains at DNS level, preventing Internet of Things devices from connecting to known attack infrastructure.
2. Implement network monitoring through dedicated systems for detailed traffic analysis, identifying suspicious patterns indicating device compromise.

Hardware security appliances provide the closest equivalent to traditional antivirus for Internet of Things environments. Bitdefender BOX and similar devices monitor all connected devices simultaneously, blocking threats at the network perimeter.

Internet of Things security differs fundamentally from traditional computer security. Where conventional antivirus scans files on individual devices, Internet of Things protection must operate at network infrastructure level due to device limitations.

UK households benefit from PSTI Act 2022 protections unavailable elsewhere. These requirements eliminate common Internet of Things vulnerabilities, providing a baseline security that manufacturers must meet. However, legal compliance alone proves insufficient without proper network configuration.

Network segregation remains the most effective Internet of Things security measure. Isolating smart devices from personal computers prevents lateral movement attacks. This strategy works regardless of individual device vulnerabilities.

Router security determines overall protection effectiveness. UK ISPs often require configuration changes to enable security features on their hardware. Properly configuring BT, Sky, Virgin Media, or TalkTalk routers substantially improves Internet of Things security without additional costs.

Managing device lifecycles prevents the accumulation of unsupported, vulnerable devices. The PSTI Act’s update guarantees requirements that enable informed purchasing decisions for long-term security planning. The National Cyber Security Centre provides ongoing guidance tailored for UK smart home security, reflecting current threats and UK-specific regulatory requirements.