By David Emm, Principal Security Researcher, Kaspersky
Baby monitors, CCTV tools and smart home devices like Amazon Alexa and Google Home are all handy additions to today’s modern home. A quarter of Britons now own one or more smart home devices, and by 2023 every home in the UK is expected to contain at least 50 of them. It is therefore becoming increasingly important for consumers to consider the dangers of IoT devices in their homes, as they could be vulnerable to criminals who could be watching or listening and waiting to attack.
During the 2018 Christmas period, the biggest spenders in the UK were families with children, and toys accounted for 31% of online purchases. Many of these toys will have connectivity built in. Yet often, little thought is given to how to secure a connected toy is. Meanwhile, items such as stairgates and child safety locks are seen as an essential part of a family home to protect children from danger. The same level of thought should be given to protecting children from connected toys and monitors from the moment they are purchased.
As connectivity continues to spread into more areas of our home and working lives, manufacturers eagerly continue to put ‘smart’ products on the market that will sell. However often they do so without ensuring that these products have sufficient security measures in place to protect the people that use them. Many of these devices, such as baby monitors, have become such as established part of our everyday lives that we often rely on them without really thinking beyond the benefits they provide. However, in today’s evolving technology landscape – and with the growing threat from cybercriminals – this way of thinking must change.
When manufacturers install voice recognition, or other smart elements, to a toy, the threat vector for consumers becomes very real, even if the device has been bought from a trusted brand. Even trusted and well-known toys such as Mattel’s Barbie were found to have potential vulnerabilities when they came onto the market.
These attacks are no longer just a theoretical possibility, they have actually taken place and left people in danger. One example is a criminal who hacked into parents’ baby monitors and threatened to kidnap a 4-month-old child.
One key security challenge that consumers face in relation to connected devices in their home is that they may not be directly affected by the actions a cybercriminal takes to compromise the device. Cybercriminals might bide their time – for example, gathering personal data, but not acting until they have everything they need, so that their attack goes unnoticed until it’s too late. In addition, cybercriminals might use the device to launch a DDoS (Distributed Denial of Service) attack on the provider of some online resource at the other side of the world.
Manufacturers must help consumers mitigate the risks of connected technology by ensuring basic security protocols – and building security into the design of smart tools, toys and other devices. Vendors must take cyber-security seriously. The government’s initiative and code of practice for the design of IoT devices is a positive step in the right direction (although I would also like to see it include some form of ‘smart-safe’ logo that can be easily identified by potential purchasers of a device..
However, the need to keep connected devices secure isn’t solely the responsibility of manufacturers. Kaspersky advises consumers to always consider the following, to ensure the safe use of their smart devices:
1. Are the extras essential?
Do you need the functionality that’s in the device you’ve just bought? If it comes with X, Y and Z, but you only really need X, disable what you don’t need, or look for a product with just the functionality you need. More functionality simply makes a product more vulnerable to a cyber-attack.
2. Look at reviews.
Has this product been reviewed – and well? Has it got a good reputation in terms of safety? If there’s a lot of negative feedback, consider whether you should invest in it at all.
3. Change default settings.
Does the device come with a default password? If it does, change it immediately. Some manufacturers of routers, for example, ship a devices with a unique key – which is something that all manufacturers should be doing. However, they aren’t yet, so consumers must get into the habit of changing default passwords quickly.
4. Will the device update itself?
The chances are that in the future, a cybercriminal will find a vulnerability that lets them compromise a new device. Check if the device you are planning to buy can be updated by the manufacturer.
5. Change your thought process.
The device might provide functionality that pre-dates the digital age – for example, baby monitors. As a result, we’re not thinking about digital security. We must all start to think about digital security, in the same way that we think about real world dangers, from the moment they buy a connected device. Consider the risks and how you can mitigate them.