Privacy Tip #219 – Holiday Shopping Tip for Internet-Connected Gifts
Holiday shopping is in full gear and everything seems to be an Internet of Things (IoT) device. It continues to amaze me how folks will buy IoT gadgets and plop them in their homes and have no idea that they include a speaker or camera, recording every move and word, or that they pose a security risk to the family.
And don’t just take my word for it. Two warnings were issued this week to that you should pay attention to—one from the Federal Bureau of Investigation (FBI) and one from the Federal Trade Commission (FTC)—both agencies that seek to protect consumers.
The FBI issued a warning on “drive-by hacking” of IoT devices, stating that “hackers can use those innocent devices to do a virtual drive-by of your digital life.” This happens when consumers don’t secure the devices when they set them up in their homes. According to the FBI, “Unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure. Are private pictures and passwords safely stored on your computer? Don’t be so sure.”
According to the FBI, when people set up IoT devices in their home or download the app from the manufacturer to set up the device, they click through all the set-up screens, giving the app permissions, but then fail to secure the device. In the excitement of getting the new gadget up and running, security is forgotten, and data are being sent and received through the device without protecting the data. Hackers know how excited we are with new toys, and take advantage of the excitement by hacking into our lives. Security experts are urging individuals to:
Change default passwords on all new devices.
Check permissions granted with the mobile apps of these devices to see if they are operating in the background, and limit access to location or other unnecessary access.
Apply auto-updates when you can so they use the latest firmware.
Keep a list of devices connected to your Wi-Fi and disconnect devices you don’t use or don’t need.
Separate IoT devices on your home network—according to the FBI—“your fridge and your laptop should not be on the same network—keep private, sensitive data on a separate system from your other IoT devices.
Review and follow the Department of Homeland Security’s “Securing the Internet of Things” advisory notice.
The FTC also issued a consumer alert this week, “What to ask before buying internet-connected toys,” urging consumers to understand the smart toy’s feature before purchasing it. This warning includes:
Does the toy come with a camera or microphone? What will it be recording, and will you know when the camera or microphone is on?
Does the toy let your child send emails or connect to social media accounts?
Can parents control the toy and be involved in its setup and management?
What controls and options does it have? What are the default settings?
When evaluating a new IoT toy, determine what information about your child the toy collects while your child is playing with it. Where are voice recordings and photographs stored and transmitted, and who has access to the recordings and photographs? Is there a way to access and delete that information?
Parents may wish to consider these questions when evaluating a new toy for children, and whether the coolest new toy is worth the transmission of a child’s biometric information to unknown individuals without their or the child’s consent. Consider whether your child will be thankful for that toy, and the disclosure of his or her information, including biometric information, when the child reaches the age that he or she can consent for himself or herself. Sometimes the coolest gift isn’t the safest gift.