Your holiday gifts may be opening a door to attackers

‘Art Lee holds just a few devices that fall under the realm of the Internet of Things.

With holiday shopping under way, at the forefront of most everyone’s minds is the inevitable challenge of finding the latest and hottest gift for a loved one, regardless of how secure it may be in terms of cybersafety. The face of these consumer products is ever-changing. These are no longer the simple items of the past like a Tickle Me Elmo, Ironman watch or Sega. Current devices are much more complex: smart assistants that talk to you, wearable trackers that report your health stats, interconnected video game consoles that allow multimedia applications or multiplayer challenges, even cars that drive themselves.

These gadgets fall under realm of the “Internet of Things” or IoT. IoT refers to the entire network of electronic devices with embedded firmware that allows them to collect and receive data. In short, these are devices that connect to the internet, to each other or both.

These devices sound fun and futuristic, but there are some precautions that must be taken, not only during use, but also prior to purchasing them. Although many devices are intended to be used on a closed network like that in your home, some are riddled with so many security vulnerabilities that they shouldn’t be considered at all.

If you already own the device, the first thing you should do is find out whether there are administrative passwords associated with it. If so, change them immediately. There are a handful of botnets (a network of compromised devices) that will scan the internet looking for devices with known default passwords. If this happens, your device will become part of the botnet and possibly be used to perform a denial of service attack against some entity. If you can’t change the administrative password, make sure you limit external access to the management interface. This is a good idea regardless of whether the password can be changed.

The second thing you should do is check whether your device is running the latest firmware. Just as software updates do on computers, firmware updates contain security fixes. With the type of information that may be exposed and collected, it is extremely important that these fixes are applied to help protect against vulnerabilities. If your device can no longer receive firmware updates, it may be considered end of life and should probably be replaced.

For smart assistants, such as the Google Home or Amazon Echo, it should be noted that, by design, the device will always listen to your conversations, as it needs to know when to respond to your “Hey Google” or “Hey Alexa” queries.” This audio is sent back the cloud, where it is stored. Data breaches can occur at any time, and high-profile companies, from Adobe to Sony to Dropbox, have been compromised in this way. As such, there is always the risk of attackers listening.

On the subject of stored data, it would be worthwhile to research an IoT toy before purchasing it. For example, in 2015, the “Hello Barbie” doll received criticism for being compromised in the same way a smart assistant could be: While the doll itself was fairly secure, the cloud server receiving the data had vulnerabilities. In the same year, toy company V-Tech had a similar incident with its servers — the personal information of millions of parents and hundreds of thousands of children were exposed.

Finally, be aware that IoT devices were designed for home use. They would be protected by your firewall and be used by trusted members of your family. As such, many security features, like requiring login on each use, would be disabled or not even offered as an option. These devices were not intended to be used at work. Please do not bring them to Fermilab. Leave them at home where they are best enjoyed.

With a little care and vigilance, you can buy the latest and hottest holiday gadgets as well as give the additional gift of cybersecurity awareness. For more articles and additional information about cybersecurity at home and work, see the Computer Security Awareness website at http://securityawareness.fnal.gov.

Art Lee is the threat management and incident response leader in the Fermilab Office of the CIO.