Phil Muncaster, a guest writer at ESET, explains that unwrapping a new device this holiday season will put a big smile on your face, but things may quickly turn sour if the device and data on it aren’t secured properly.
As the festive season approaches, we’re all looking forward to being pampered by our friends and family. Increasingly, this means our stockings will be full of technology come the big day. This could mean anything from a fitness tracker to a laptop; a smartphone to a connected baby monitor. The bottom line is that we’re all rampant users of smart devices. For example, more than half of Europeans use an internet-connected TV today, a quarter (26%) use smartwatches and other wearables, and a fifth (20%) are fans of internet-connected gaming devices.
But with our embrace of smart devices comes added risk. Our loved ones may not have been paying much attention to the small print when they hit “purchase” on our presents. So the pressure’s on all of us to ensure our dream holiday gift doesn’t turn into a security nightmare.
What are the risks?
The level of risk you’re exposed to will depend on the type of device you’re opening on Christmas Day. But there are some common issues that can put your online accounts and personal and financial data in peril:
- The product contains unpatched software of firmware. This could enable hackers to exploit vulnerabilities in attacks to achieve a variety of goals.
- The factory default password for the product is easy to guess/crack and the product doesn’t require the user to immediately update the password. This could allow an attackers to hijack the product remotely with relatively little effort.
- There’s no two-factor authentication (2FA) enabled by default, which could make it easier for hackers to hijack the device.
- There’s no device lock enabled, putting the device at risk if lost or stolen.
- The privacy settings are not secure enough out of the box, lead to you oversharing personal data with advertisers or potential malicious entities. This is especially troubling if it is a children’s toy.
- Certain settings such as video and audio recordings are enabled by default, putting your child’s privacy at risk.
- There’s no encryption on the account creation and login process, exposing usernames and passwords.
- Device pairing (i.e., with another smart toy or app) is done vie Bluetooth with no authentication required. This could enable anyone within range to connect with the toy to stream offensive or upsetting content or send manipulative messages to your child.
- The device shares geolocation automatically, potentially putting your family in physical danger or at risk of a burglary.
- There’s no security software on the device, meaning it’s more exposed to internet-born threats that could steal data or lock down the device.
The challenge is that in many parts of the world, there’s no legal mandate for manufacturers, distributors and importers to sell secure internet-connected products. By exploiting poor vendor design and limited attention to security best practices, malicious hackers can carry out a range of attacks to hijack your devices and access data stored on them. This could include logins to some of your most sensitive accounts, like online banking.
Alternatively, the device itself could be remotely controlled and conscripted into a botnet of compromised devices designed to launch attacks on others, including DDoS, click fraud, and phishing campaigns. Threat actors might also look to lock your device with ransomware and demand a fee for you to regain access. Or they could download adware, which floods the device screen with ads, making it virtually unusable. Meanwhile, limited privacy protections may lead to data on you or your family being shared with advertisers and other parties.
Ten ways to secure your gadgets
With the above in mind, follow these tips to keep your and your family safe from cybersecurity and privacy risks this holiday and beyond:
1. Ditch the defaults and instead secure each gadget with a strong, long and unique password on set-up.
2. Wherever there is an option, switch on 2FA for added login security.
3. Only visit legitimate app stores when downloading apps to your device.
4. Never jailbreak devices as this can expose them to a slew of security risks.
5. Ensure all software and operating systems are up to date and on the latest version. And switch on automatic updates where possible.
6. Change the device settings to prevent any unauthorized pairing with other devices.
7. Disable remote management and Universal Plug and Play (UPnP) where available and ensure the device is registered and receiving updates.
8. Back up data from your devices in case of ransomware or other threats.
9. Keep any smart home devices on a separate Wi-Fi network so that attackers can’t reach your most sensitive information.
10. Wherever possible, install security software on the device from a reputable vendor.
Let’s all have a safe and happy festive season. And next time you buy a gadget for a friend or relative, take a bit of extra time at the research stage to ensure it gets good ratings and reviews for security and privacy. It might save them quite a bit of time on Christmas Day and beyond.