Op-Ed: Your Holiday Gift Could Have Serious Security Risks

As consumers around the country race to make last-minute purchases for their loved ones this holiday season, chances are they are considering a connected device or two to place under the tree next week.

But how can holiday shoppers be sure that the new connected device they’re eyeing was designed with the necessary privacy and security protections to keep their loved ones safe from digital attacks? How do they know it won’t invade the privacy of their friends and family or provide unwanted individuals with access to their home and devices?

Internet of Things (IoT) devices are a relatively new feature in the modern home, but according to a recent poll by Mozilla, consumers are already skeptical about the growing technology. The poll found that 35 percent of respondents were “wary and nervous” and 45 percent feared a “loss of privacy” about the connected future. Despite this, there are expected to be some 30 billion connected devices worldwide by 2020.

Leading tech companies build devices such as thermostats, cameras, children’s toys, and kitchen appliances with convenience in mind. But without proper privacy and security protocols built into these devices, the potential harm can severely outweigh the benefits.

Insecure devices pose risks for everyone’s privacy—and for the health of the internet generally—but there are those for whom it presents very real issues of physical, mental, and emotional safety. Victims of domestic abuse are one example. Protecting everyone from devices that could be misused against them is vital, and with the rapidly increasing popularity of “smart homes” and IoT devices, we have a lot of catching up to do.

The first step is education. The vast majority of people interested in buying a new internet-connected device have no way to evaluate privacy and security features, and there is very little expert guidance for consumers to turn to. Consumers must better understand the immense risks poorly-secured devices can pose by allowing outside access to devices in the home. That very problem is the driving impetus behind the Digital Standard, a testing framework spearheaded by Consumer Reports for evaluating IoT devices and mobile apps on these questions.

Consumer Reports has already begun including the outcomes from Digital Standard in their product reviews, which is working to close the knowledge gap for the average consumer wondering what features they should consider when purchasing smart devices. As consumers become better equipped to judge the security of the products they buy, the market should drive manufacturers to build more secure offerings as a differentiator.

As a completely open source project, the language of each test is open to the public—allowing consumers and others to implement the Digital Standard in their own reviews. While Consumer Reports will no doubt continue to provide high-quality, broadly applicable reviews based on the Standard, the fact that anyone can take the Standard and apply it themselves opens up real opportunities, particularly for those most at risk.

A similar project is Mozilla’s Minimum Security Guidelines — basic requirements we believe all connected devices should meet, like using encryption and featuring automatic security updates. This winter, Mozilla used these Guidelines to evaluate 70 popular connected products like smart watches and gaming consoles in our *Privacy Not Included gift guide. Only 32 products met the requirements.

Consumers should no longer accept the excuses from industry that they weren’t aware of the potential misuses of their products. Making accessible devices that are secure and private by default must be a priority for manufacturers, and consumers should be aware of the options that are best suited for their needs.

Through efforts like the Digital Standard and similar initiatives, we can help manufacturers produce devices that are more secure while providing a reference point that can be tailored to address the needs of all American consumers. IoT technology has the power to make our lives easier, better, and safer. Let’s work together to ensure those building today’s most innovative goods and services prioritize consumer safety.

Kevin Bankston is the director of New America’s Open Technology Institute and Ashley Boyd is vice president of advocacy and engagement at Mozilla, which is headquartered in Mountain View. Opinions are the author’s own and do not necessarily reflect those of San Jose Inside. Send op-ed pitches to [email protected]

One Comment

  1. I’m about ready to take my security + certification, so soon I’ll have a scrap of paper that says I know I’m talking about.

    The biggest security vector that has ever been created has been done so in the pursuit of convenience. Wifi. Yes you can set things up so you have what amounts to a chain on the door, but every single packet that goes between your client device and the router is open for anyone to grab out of the air.

    Kismet, aircrack-ng, are some popular tools, and are included in Kali Linux. Anyone who can read some instructions and type some things in a shell window can record your transmissions for a replay attack. Capture 24 hours or more of traffic,and they can use rainbow tables on said traffic to extract the wifi key.

    If you want to be truly secure, use ethernet wherever you can. Put wifi devices on seperate VLAN’s. Put IOT devices on their own VLAN and SSID. Make sure you have a router/switch that timestamps packets with a sessionID and filters out any duplicate mac addresses.

Leave a Reply

Your email address will not be published. Required fields are marked *