As Black Friday Looms, IoT Gadgets Take the Risk Spotlight

Ahead of the holiday shopping bonanza, the security community is talking to consumers about IoT security.

With the holiday shopping season poised to officially kick off this weekend, it’s likely that connected gadgets and toys are high atop many a consumer wish-list. As those of us in the security space know, however, internet of things (IoT) devices can quickly go from fun to creepy, depending on how hackable they are.

IoT devices are set to be among the most popular this year – according to Mozilla, it’s a varied bunch ranging from the Nintendo Switch gaming console and the latest Roku streaming box to Fitbits and assorted drones, smart watches, home assistants and even a smart dinosaur. And with rafts of vulnerabilities continuing to be uncovered in a space plagued by a lack of security wherewithal, many in the security and privacy space have stepped up to the plate with efforts to educate the average citizen about IoT risk.

Ken Munro at PenTest Partners, for instance, is urging consumers to take things into their own hands – or handsets, rather. Evaluating the privacy and security of these devices isn’t that tough, he noted – a simple Google search is a perfect place to start.

“Pop the name of the smart gadget or toy in to a search engine and add the word ‘hack’, ‘security’ or ‘vulnerability,’” he explained in a shopper-focused posting on the subject. “It’ll take you moments with a smartphone and might save you throwing that ‘thing’ away later over security concerns. See what comes up – if there are discussions about serious security issues, don’t buy it.”

Most IoT vulnerabilities open the door to surveillance, after all: That can be for simple financial spying or for more nefarious purposes. For instance, a line of kids’ wristwatches was recently found to have a deeply disturbing flaw that would allow someone to track children’s real-time GPS coordinates; call kids on their watches; eavesdrop on their conversations; and intercept personal information about them, such as name, age and gender.

So, noting whether one’s IoT gadget of choice has a microphone, speaker or camera can also help consumers deduce how risky it is, he added.

Also, Munro noted that those shoppers feeling un-lazy can also go the extra mile to test-drive the mobile app that comes with a connected stocking stuffer.

“Before you buy, download their app from the App Store or Play Store to your phone,” said Munro. “Click on the ‘create account’ or ‘login’ section. Create an account – add a temporary or throwaway email address then try to set the password of ‘password’. See what happens. Was it rejected for being too weak? If so, try ‘Password1’ and see if that works. Most times, that will work. If so, the manufacturer is showing that they really don’t care.”

And, users can go so far as to read the manufacturer’s security notices (do they sound legitimate? Do they mention security at all in the first place?) or peruse the online owner’s manual, which should discuss connecting to the smart thing for the first time. If the WiFi or Bluetooth connection doesn’t require a password, that’s a giant red flag.

Mozilla is doing its part on the consumer education front as well, by updating its “Privacy not included” website. This offers an emoji-based creepiness scale for 70 of the most popular IoT products, along with more in-depth information on each.

Some get the designation of “super-creepy,” such as the Amazon Echo and Spot. These home hubs can show you things while it talks to you. “Show and Spot can show the lyrics to the song you’re listening to, weather forecasts, your security cams and baby monitor,” the guide notes. “You can also make video calls to other people with a Show or Spot. Now you don’t just get to wonder if Alexa is listening to you, you get to wonder if she’s watching as well.”

On the other side of the spectrum, where the happy emojis are, are things like the handheld Nintendo Switch. It’s a “a handy little console that lets you play at home on your TV or toss it in your bag to play anywhere,” Mozilla said. “Good guy Nintendo also puts a lot of emphasis on easy-to-use parental controls.”

The Switch is one of 32 products that were awarded a badge for meeting the minimum security standards created by Mozilla, Internet Society and Consumer International. To receive a badge, products must use encryption; have automatic security updates; manage security vulnerabilities using tools like bug bounty programs and clear points of contact; and require users to change the default password if a password is required. Other products receiving a badge included Google Home, Harry Potter Kano Coding Kit, Athena Safety Wearable, and the Behmor Brewer Coffee Maker.

Also on the take-consumers-by-the-shoulders-and-shake front, the Internet Society has released a video spoofing the home-shopping channel QVC about the dangers of internet-connected devices, using a fictitious baby monitor called Buggle Baby.

These types of ratings and consumer-awareness efforts will continue to be important as regulations and government action continues to lag, pointed out Munro. However, there are some changes, along with potential legal action, coming that may improve the IoT security landscape sooner rather than later.

For instance, California’s Information Privacy: Connected Devices legislation (SB-327 and AB-1906), set to go into effect in January of 2020, was signed into law on September 28 and is the first law in the nation to address IoT security.

The law requires devices that “are capable of connecting to the Internet “directly or indirectly” via Internet Protocol (IP) or Bluetooth addresses to have “reasonable” security controls. The law states that devices must have “a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”

The law further stipulates that the manufacturer must provide a security feature “that requires a user to generate a new means of authentication before access is granted to the device for the first time,” to add another layer of security for these devices.