Living in a world where breaches have become the third certainty in life can be a real bear, especially for those who can’t live without owning the newest, most connected Internet of Things product or device.
Unfortunately, if you’re the type of consumer that buys, opens, and connects without replacing the manufacturer’s default password on your shiny, new IoT device with a long and strong one, you may find yourself wishing you had never bought that wizbang. Failure to properly secure an IoT device can jeopardize your privacy and enable hackers to claw their way into your home or your business, even imperil our national security.
Before you read anything else: hear me.
Do your homework when buying and using Internet of Things devices! Never impulse buy things and run home to connect them to the Internet without first checking out the manufacturer. If they don’t say how they protect your data from intrusions on your privacy, don’t let their product go online — or if you decide to roll the dice, be ready for your life to get turned inside out.
This week brings yet another entry into the annals of IoT face-palm moments: This time on the part of a toy company, where sloppy information security practices exposed the personal information of more than 800,000 customers, leaking more than 2 million recordings of household conversations, many of them featuring kids.
According to security expert Troy Hunt, "CloudPets left their database exposed publicly to the web without so much as a password to protect it."
The pets are a very cool idea. They are designed so that any authorized user can leave voice messages, which are stored on the animals and can be played when a child interacts with them.
The exposed data included information about the children who received the toys as gifts, including passwords and email addresses, the names of children, their birthdays (minus the year), and their relationship to authorized users (sibling, parents, cousin, grandparents and the like). Additionally, anyone who knew where to look could replay messages left for specific children.
Hunt reached out to Cloud Pets to alert them to the problem, and they did nothing about it.
Before you put on your best OMG-ish face of WTF, know that it’s not uncommon for companies that offer IoT products to scrimp on the security side of things. Your only true recourse: always assume the worst.
I’ve written elsewhere about the threats to national security posed by improperly secured IoT devices, and that’s still the case. However, what I want to emphasize here is the importance of keeping your guard up as you wade into the world of IoT, which in one way or another has become a large part of our lives.
Here is a checklist you should bear in mind whenever you acquire a new connectable.
1.) Must it be connected to the internet? While routers and webcams need to be connected, webcams don’t need to be connected when not in use. It’s important to weigh an unused convenience against a known liability. If something doesn’t need to be connected, don’t connect it.
2.) Where possible, customize all default settings. While it’s true that your device can be hacked by other means, this does not give you, as a user, license to be sloppy. Your goal here is to eliminate vulnerabilities and constantly strive to reduce your attackable surface.
3.) Make sure the firmware is up to date. If you’re going to connect a device to the internet, do not ignore the requests it makes to update the firmware it runs on, this is crucial to the device’s security.
4.) Universal Plug and Play, or UPnP, is a set of networking protocols that enables devices on the same network to find each other. Unfortunately, it also allows malicious scripts to hack your devices so that a printer does double duty — moonlighting in a botnet used to spew spam or to be a soldier in the robot army used in a DDoS attack. Turn it off.
5.) Not all cloud services are created equally. Do your homework and make sure that the service you’re using is contracting with a reputable cloud provider.
6.) Set up a separate WiFi guest account for IoT devices, one that is not shared by other devices that need to be networked, like your computer, smartphone, printers and the like.
7.) Use your head. The more time you spend actually thinking about the various ways in which you are exposed to hackers, hopefully the more careful you’ll be about how you conduct yourself in the networked world we all inhabit.
The best way to avoid getting got by your IoT devices is, of course, not to connect them to the internet. Since that’s not a practical solution, spend the requisite time to make yourself a harder target.
Adam K. Levin is a consumer advocate with more than 30 years of experience and is a nationally recognized expert on security, privacy, identity theft, fraud, and personal finance. A former Director of the New Jersey Division of Consumer Affairs, Levin is chairman and founder of CyberScout and co-founder of Credit.com. Levin is the author of Amazon Best Seller "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves." Read more of his reports — Go Here Now.