The Christmas of IoT

Tech gifts are awesome. As an engineer, I love getting new gadgets and gizmos to play with, break, and eventually fix. But if someone gets me some mundane object that is internet connected, I’m going to lose my shit.

Its a cool concept, instead of a regular bathroom scale, its a machine-learning bathroom scale. It seems appealing to the masses, but to security engineers, they are a total nightmare. I’ve written about IoT security issues before. A couple of times actually.

This post isn’t going to be a tirade against IoT, just a reminder that devices are more insecure than ever, and getting your children IoT devices is a bad idea. There are plenty of safe and responsible ways for kids to browse the internet, and a multitude of ways that technology can enrich their childhood, but putting a toy that has a camera and microphone in their hands to be used 24/7 is terrifying to security engineers. Internet connected toys have no security standards whatsoever. An attacker doesn’t care that its a kids toy. To them, coming from the infrastructure, its just another computer.

The FBI put out a warning about buying internet connected toys and gadgets for minors. “These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities… These features could put the privacy and safety of children at risk.”

Even if the devices themselves are not vulnerable, corporations care very little about securing your data. A line of IoT teddy bears called CloudPets left terabytes of messages recorded by children exposed in an unsecured online database, along with 800,000 usernames and passwords. A Norwegian consumer council found that specific kid-focused smartwatches are extremely insecure, allowing external agents to track the movements of the wearer and even communicate with them through the speaker.

If, after all of that, you are still planning on buying an IoT device for Christmas, take the time to ensure exactly how it works, understand what kind of information it could potentially collect, and what it does with that information. Find out if the company that makes it has a history of data breaches, use different passwords across all devices, read the privacy policy! Take the time to change the default passwords on all of your IoT devices. Not changing them makes hacking into them as simple as googling the login credentials. Find out how often the device has firmware updates, security patches, and software updates. If you’re gifting one to someone else, make sure they know the liability that you are handing off to them.

Not every IoT device is vulnerable, but the industry has a very long way to go to secure their devices.

3 thoughts on “The Christmas of IoT

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.