Internet of Things Security
As Christmas is fast approaching, the Internet of Things security should be an item of concern when purchasing Christmas gifts for family and friends. Being a security minded person myself, I have a certain level of healthy paranoia in protecting friends and family from the Internet of Things (IoT) gifts. The phenomenon call the Internet of Things, or the larger connectivity of objects over the internet, has led to an unprecedented level of interaction and information passed between interconnected devices. Anything with an IP address can now talk to us, and talk to other devices with an IP address. And with the holiday shopping shifting into full gear, we are filling our carts and our wish lists with a vast array of super connected IoT devices.
We are currently in a perfect storm of connected devices, low cost bandwidth and powerful processing which makes the concept of smart, interconnected devices for consumer convenience the wave of the future. Smart home products and the larger IoT devices are promising a wealth of new capabilities and features, from controlling home temperatures on a phone or allowing access to a property remotely, and now IoT connected toys for the kids. And IoT devices are exploding in popularity.
More than one in five households already use mobile devices or apps to remotely access or control devices within the home, according to the U.S. National Cyber Security Alliance. That percentage is set to grow dramatically around the world. It is estimated that 50 million connected devices will be sold over the holidays this year. This includes items like smart televisions, fitness devices such as FitBit, Security Systems, appliances, thermostats, and a vast array of kid’s toys. Each of the 50 million devices provide for opportunities for the hacker to compromise the data and home network and abuse the privacy of those running those devices.
This holiday season, the first of what most likely will become a trend, consumers were informed on IoT toys which have been hacked. On Black Friday, news stories indicated that a hacker had broken into the servers of Chinese toymaker VTech and lifted the personal information of nearly five million parents and more than 200,000 children. The data haul included home addresses, names, birth dates, email addresses, and passwords. The data stolen also included photographs and chat logs of parents with their children. Then on Dec. 4, Bluebox Security discovered serious vulnerabilities in Mattel’s Hello Barbie, the Internet-connected version of the iconic doll toy. Security experts have reported that the Hello Barbie app connects to any Wi-Fi hub with “Barbie” in the name, and so malicious hackers could spoof the doll, connect to the phone and gain access to the data stored by the Hello Barbie app. Also, while the data passed between server, doll and app uses certificate-based encryption, the methods used by ToyTalk are not secure. For example, all Hello Barbie doll apps reportedly use the same hard-coded password to verify the certificate. It is entirely possible that the majority of Internet-connected toys have serious vulnerabilities.
Protecting children from hack attacks is exceptionally important. They are vulnerable and innocent. And that makes them emotionally charged targets for cyber-extortion attacks. Imagine if a truly evil hacker had accessed the VTech systems and intercepted communications or captured images from the cameras. Parents could have easily have faced extortion through threats to harm their kids. And many would have paid. Last year, a man hacked into a baby monitor in a home in Cincinnati, Ohio, and started screaming “Wake up baby!” at a 10-month-old girl. The parents, understandably, felt violated.
The following is a checklist of recommendations for consumers before and after they’ve picked up IoT devices over the holidays:
- Secure Your Home Network: The first step consumers should take to prevent security problems, experts say, is to ensure their Wi-Fi routers are secure. Strong passwords are a given and users should ensure the firmware, the permanent software that powers gadgets, is routinely updated with the latest security patches. Users are going to have to start being mindful of their gateway to the internet if they’re going to connect everything in their home to it. Weakly protected devices can act as Trojan horses that allow criminals access to other gadgets in the home or even users’ identities and financial accounts.
- Connect products with wired connections: Smart TV’s now are capable of connecting to consumer’s home network systems. I recommend that devices such as smart TVs are connected directly through a wired connection. Some routers also support a guest network on their router, this would be preferably then connecting to the home private network. They should be guarded by a firewall and remote access should probably be disabled when not needed. But the key is to harden permissions settings for data collection and sharing policies with third parties.
- Make sure the product is returnable: Since it’s difficult to determine how good the security is before actually purchasing it, it is recommended that consumers check out a device’s warranty and support policies to make sure the manufacture actually patches its products. The consumer should also confirm that they will be able to return the devices for refunds after they’ve opened the box and realize that it doesn’t offer enough security for their needs.
- Register Product: I know that it is difficult to convince people to register their products. But users should register their products to insure that the manufacturer can contact them if software updates are available for the product.
- Use a P.O. Box for billing and delivery addresses: Many toys enable the consumer to buy additional features, content, services or add-on products. When consumers pay with a credit card, they are required to provide a billing address and a delivery address, which are both usually their home address. That information is usually lumped in there with the personal data the company stores about the consumer and their child. Where children are concerned, the home address is the single most dangerous bit of personal information. Therefore, if at all possible use a PO Box number for any registration or contact info if not required.
- Stick with the well-known Toy Companies: The larger toy companies are more inclined to address security issues with the products they sell. Mattel and ToyTalk have reportedly been very responsive to reports of security vulnerabilities and have rapidly addressed many or all of them. Smaller toy companies may not have the expertise or finances to address security issues that are identified.
- Download updates directly from the Manufacturer’s official site: Whenever possible, all updates should be from the manufacturer’s official site. This minimizes the possibility that the update has been compromised with malware which could compromise the home network.
- Disable Microphones and Cameras when not in use: Many IoT devices have microphones and cameras which can be used by hackers to collect sensitive data without consumer realizing it. I recommend disabling these features on those devices when not in use. It may be best to even removing the camera or flipping it to face a wall if it is not used regularly.
Smart and connected toys and devices can be great for kids and adults, but only if they protect the privacy of both individuals and children. Smart and connected toys are no different from any other consumer electronics gadget, in theory. The difference is that toy companies may be less likely to obsess over security than companies where technology is the main business. The parents and children who buy or use these toys tend to be thinking of the benefits of technology features without ever considering the risks. The IoT devices such as smart televisions, appliances, and Fit Bits need to be configured securely to protect against unauthorized access to the home network system. It is the parent’s responsibility to know the risk, understand the technology involved, and protect both their home network and their kids from the security risks related to the internet of things. Hopefully this blog post gets you thinking about IoT security as you enjoy the holiday season with your family and your new IoT devices.