Just about every electronic device now has some kind of internet connection. So it’s not a stretch to predict that the so-called “internet of things,” or IoT, will take up a significant amount of space on Santa’s sleigh this year.

These items include connected thermostats, smart speakers, web cameras, fitness trackers, and lots of kids’ toys. And their popularity keeps growing. The market research firm IDC projects that global consumer IoT spending will rise to $62 billion in 2018, representing a 21 percent jump from $51 billion in 2017.

More on digital privacy

But security experts warn that there’s little oversight of what data these products can collect—or how it’s traded to marketers and protected from hackers. Before you connect new devices to your home network, experts say it’s important to understand the trade-offs, and how to stay safe.

“We’re still in the wild, wild west,” says John Dickson, a principal at Denim Group, a cybersecurity company in San Antonio. “And what we’re going to see over the holidays is the proliferation of devices that we have very little control over.”

Consumer Info Is Scarce

Connected devices often ask users to input personal information, such as their name, age, gender, email address, home address, phone number, and social media accounts.

That information can be very valuable to hackers, warns Michael Kaiser, executive director of the National Cyber Security Alliance. “It’s time for consumers to get educated and to understand not only the benefits of these devices, but also the risks,” he says.

But when it comes to specific products, it can be difficult or impossible to get detailed information, according to Darren Guccione, CEO and co-founder of Keeper Security, a cybersecurity company that specializes in password management.

“You want to make sure that a toy doesn’t light on fire when you play with it,” he says, “but what about making sure your digital life isn’t destroyed when you connect something to the internet?” 

Consumer Reports is working with several partners to develop digital standards that could help consumers judge which internet of things products are safest. For now, Kaiser says, it makes sense to search online for reports of security problems with any device you’re thinking of buying.

Set a Good Password

Connected devices can become an entry point into your home network if they're hacked, Guccione says. Once hackers have access to the network, they may be able to access important devices such as laptops holding financial information.

To improve safety, make sure to set a password that can’t be easily cracked by hackers—even for seemingly low-risk devices such as talking dolls and toy robots. And never continue using a default password that came with a device.

When choosing a password, Guccione says, the more characters, the better. Enable multifactor authentication, which requires users to enter a second form of identification, such as a code sent by text to a smartphone, in order to access any account.

And last, resist the temptation to reuse your internet of things passwords (or any password) for multiple accounts. Passwords stolen in corporate data breaches can eventually be used by criminals trying to log onto other accounts. Keeping a unique password for every account can help you limit the risk. (Password managers can make this easier.)

It's also extremely important for IoT users to secure their routers, setting strong passwords and making sure that security updates are installed right away, Kaiser says. 

Be Cautious of Connected Toys

Security experts we interviewed recommend that parents use added caution when buying connected toys for their kids.  

Dickson points to an FBI alert from July that notes that such toys “could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.”

One concern, Dickson says, is that the companies making inexpensive toys with WiFi or Bluetooth connections may not have the budgets or expertise to build in the kind of security you’d find in a thermostat or smart speaker from a major tech company. The toy hacking reported so far has been in lab settings, not out in people’s homes. "I'm not optimistic," Dickson says. "I think something disastrous is going to have to happen before the toy industry does something about this."

The Toy Association, a not-for-profit group representing the industry, said in an emailed statement that its members are "committed to considering the privacy and security aspects of all online technologies offered to kids," adding that it works to educate toymakers and consumers about children's privacy and digital security.

Security experts say parents should also consider the privacy implications of sharing data with makers of toys and other products. That makes particular sense for parents who are careful to not share information about their kids on social media sites and elsewhere. Remember, if a toy knows your child’s nickname, the company that made it probably does, too.

When it comes to children, some privacy protections are already in place. The Children’s Online Privacy Protection Act (COPPA) requires companies to get the consent of parents before collecting the personal information of children under the age of 13. The law bars companies from sharing the information with other companies in most situations. The Federal Trade Commission can take action against companies that don’t comply. 

And Don't Neglect Other IoT Products

Connected products, from smart speakers to internet-connected locks, can be fun and convenient. But security experts urge consumers to consider the potential privacy and security risks, along with the benefits, before laying down money for one.

Dickson says that while shopping recently, he stumbled upon an internet-connected device that would allow him to control his Christmas lights through an app. Appealing? Sort of. But he decided against buying it because the old-fashioned timers he bought at a home-improvement store years ago were still working just fine—and he didn’t want to introduce a marginally useful IoT item to his home network.

“I’m afraid people are just going to buy stuff because it’s cool,” he says. “It’ll make its way into a home and create a higher level of exposure for a family without solving a problem.”