There was a time when irons, fridges and other household appliances didn’t collect data about how we iron, what food we store and when we buy it. We never even thought about these things 20 years ago. Today, appliances are all about being connected, making things easier and doing them faster. Updates, patches (maintenance) and security settings are now, more than ever, also relevant for these internet-connected home devices.
As our world gains in modern conveniences, questions arise as to the pros and cons of this new generation of connected devices, both for society and from a security standpoint.
Connected kitchen
Call me paranoid (you’d be right), but as a security person, I look at modern household connected devices with both admiration and suspicion. It’s not hard to think about the threats that are being introduced into people’s lives from such devices — inviting anyone and everyone into your home if not locked down and secured against the same threats mobile devices and PCs face.
Being connected does offer the convenience of getting nutritional information and even cooking tips to ensure that great meals are made even quicker. But as a hacker — though not a cyber criminal — I think about the ways that I can invite myself into your house by understanding the security mechanisms of these new devices. From a hacker’s perspective, it’s important not to trust anyone else with your personal or your family’s security, unless you really know them. We assume that companies selling products will protect us from the most common risks, but is that really true today? I suggest accepting the hacker’s mindset in this regard, in that it pays to understand how technology works and also about basic security precautions.
Let’s look at cyber espionage. If you are a high-value target to me, I will take my time and use your devices to find out what you buy, where you buy it and how you use things. I can also get data on when you wake up, when you make your meals and the stores you like. All of this information can be used for normal purposes, but it can also be used to attack, so being careful is always better than being exposed to uninvited guests.
So what do you need to think about when choosing to take advantage of connected devices? With some standard tips such as turning on security settings, you can use modern devices while still protecting your privacy. It is important to research the device and to be cautious, asking questions about what security options are available, how to switch them on and off, and about the operating systems being used by the item.
You are responsible for your own security. Relying on a company or manufacturer to secure your home might not be the smartest thing to do as you will be passing on the responsibility of your security to others you do not know. And if these companies do not know enough about security, they could add to the risk, resulting in a false sense of safety that can open you up to all kinds of threats.
The right to say no
Devices must have a limit in terms of the information they store on you and your life. If you do not want data sent to someone, then you have the right for it not to be sent. Manufacturers must include data protection options on their devices that a standard user can set and understand. Don’t blindly trust any device that you buy. Ask questions about the manufacturer and how to update, install or patch devices.
Be careful with how you use the internet on these devices and be watchful of the websites they connect to. If a device connects to someone’s website, ask yourself why. What information is being sent where, and for what reason? Turn it off if possible or demand that the manufacturer states the answers to these questions before you buy. Websites are full of malware and viruses and it is possible for attack vectors to target you. This is no longer limited to movies such as Flash Gordon or Star Trek, it is our reality.
Be careful if these devices collect credit card or any other financial data. There are international laws and regulations (such as the Payment Card Industry Security Council’s standards) for a reason. If a device collects data about your credit card, it needs to secure this data — it should use encryption for usage, billing and private information. Data at rest should be encrypted by default. Think like a hacker or security person. If someone wants to steal your identity, would the device give them that extra edge or make you more vulnerable? Connected devices introduce new opportunities but they also introduce risks.
Lastly, all the devices and solutions you choose must make things easier. Security is complex, but with a little bit of logic, thought and knowledge, you can use connected appliances while still having some form of privacy. I hope all companies out there are listening…
— The writer is a Security Specialist at IT security firm Sophos