There Is a Creepy Side to Those 'Smart' Toys and Appliances On Your Gift List
Seemingly innocuous "connected" gifts including teddy bears and vacuum cleaners give hackers a cyber-open door to you home.
As holiday shoppers attempt to "wow" their friends, families and coworkers with the top presents of the season -- think Amazon Echos, smart TVs and internet-enabled toys -- they could be inadvertently exposing their giftees to a world of cybersecurity pain. Unfortunately, hackers looking to expand their attacks beyond networks and emails have set their sights on devices that are connected to our home networks.
Despite the recent security issues with IoT devices (i.e. smart teddy bear flaw), a recent survey found that 65 percent of millennials are unaware of IoT risks and the same percentage don't take this type of security seriously. However, with stockings already being hung by the chimney with care, it's important to raise awareness about the types of threats plaguing these devices. Before making those final purchases, let's explore which popular items are most at-risk and ways in which owners can secure their new toys.
Ho-Ho-Hold the Phone -- Consider These Potential Risks
The newest, hottest devices are obviously high on holiday wish lists, and for good reason! Many of them are not only fun additions to the home, but also add a significant convenience factor when it comes to day-to-day activities like switching lights on and off, controlling music, locking doors and entertaining children. However, before bringing these items into the home, it's important for consumers to weigh the pros and cons.
One of the biggest risks associated with installing IoT devices revolves around the loss of privacy. As IoT evolves, devices that have video cameras in them should be avoided at all costs. We've seen vulnerabilities appear within connected cameras time and time again -- see examples here and here. While using IoT cameras externally for security purposes makes sense, bringing them into the home can be, and has been, an issue.
Besides security cameras, we are seeing video capabilities in TVs, toys and even appliances such as vacuum cleaners. Before purchasing and gifting these items, shoppers need to think long and hard about the potential implications.
So, Which Devices are on Santa's Naughty List?
Over the last year, there have been a number of toys designed for children that pose serious risks -- the Cayla doll is a prime example. Unfortunately, as manufacturers continue to develop and release connected toys, security is not always top of mind when installing components like remote audio and/or video capabilities. Combined with the fact that children can easily be preyed-upon, shoppers should take great caution when selecting any internet-embedded technology device for a child.
From a connected home perspective, smart speakers are a perfect example of a risky addition to the household. While these items will be all the rage this year, it's important to evaluate the security implications. We saw just last month the BlueBorne vulnerability that left prominent devices within this category vulnerable to hackers via just a Bluetooth connection -- through this, malicious actors could feed smart speaker owners false information (i.e. traffic reports and inaccurate schedules) and even spy on victims. And the scariest part? If a hacker gained control of the connected device, they could potentially spread to other networked devices or eavesdrop on network traffic communication.
Additionally, smart systems that are used to control door locks and garage-door openers are being exposed by hackers. Apple's HomeKit is the most recent example. As usual though, Apple was able to fix the issue quickly via a server-side patch.
Does This Mean IoT Devices Should be Taken Off Our Wish Lists?
Let's be realistic -- the entire holiday shopping population isn't going to abandon purchasing IoT devices as gifts due to the chance that they might be hacked. And, to be honest, a number of items still make great gifts -- for example, ones that add convenience and entertainment like automation for lighting and switched outlets.
With that said, consumers still need to do their due diligence for securing these items and be especially cautious with devices that contain video cameras. A few questions to ask before purchasing an IoT device include:
Who is the manufacturer? Is it someone reputable, or a suspicious knock-off that may save you a few bucks? Look for products issued by companies like Amazon, Apple, Bose and Google this holiday season. Many of these companies -- like Amazon and Google -- have patching solutions already in place, so in the event that a vulnerability does arise, they can quickly mitigate the issue. It may cost more up-front, but the savings from a potential security breach are greater by leaps and bounds.
What are the known vulnerabilities? Before completing your purchase, do a quick search to see if any security vulnerabilities have been discovered previously in your gift. Is the first Google search result on that product you've been eyeing a vulnerability exploit/issue? If so, you might want to stay away from that one and consider another gift.
Will the device update automatically? Ensuring that the latest firmware is installed on any internet-connected device is of utmost important. Old firmware equals new entry points for malicious actors. One of the easiest ways to ensure this is the case is to buy devices that update automatically and don't require manual firmware installations.
IoT is Coming to Town
Whether we like it or not, these devices are in our homes. Fear not, though, if you've already purchased and wrapped these gifts for your loved ones and coworkers. Give the gift of security this year and pass along these helpful tips with your connected purchase:
Use the tech as it was intended: Make sure the device is deployed properly and used the way it was designed. Follow installation directions completely and double check that the latest firmware is installed.
Change default password: Never stick with what's given! Also, when selecting a new password, follow the same procedures you would when selecting one for your online bank account. Don't use any of your personal information -- that includes Fido's name -- and avoid passwords that contain words/phrases that can be associated with you, your business and/or personal life. In addition, don't reuse passwords across multiple devices/accounts.
We have enough to worry about this holiday season with 10s of family members running around the house fueled by eggnog and candy. Don't let cybersecurity add yet another thing to your checklist. Follow these simple IoT security tips to ensure a carefree holiday for you and your loved ones.