SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Connected toys and wearables for Christmas? Could be a cyber security risk
Tue, 13th Dec 2016
FYI, this story is more than a year old

ESET is warning consumers about connected gifts this Christmas season, as the popularity for devices such as wearables, connected toys and baby monitors continues to grow.

The cyber security specialists warn these types of devices can be easily hacked by e-criminals, or turned into a threat to consumers' privacy.

ESET refers to a complaint that was lodged last week with the US Federal Trade Commission over internet-connected toys recording and transmitting kids' conversations in violation of privacy rules.

In the past few years, many baby monitors have also been reported for hacks, the latest one in the US with a hacker directly spying and talking to the toddler though the monitor, ESET says.

Connected toys

According to ESET, on average, Australian households now have nine internet-connected devices.

“With the Christmas period coming up, more and more connected toys will be hitting retailers' shelves, but parents should be questioning the security standards of these toys before making any purchasing decisions,” says Nick FitzGerald, senior research fellow at ESET.

FitzGerald says parents should go through the following steps before and after buying a connected toy:

“Firstly, consumers should understand that as long as a device can be connected to the web or other devices and isn't secured, it can be accessed stealthily and used to a cybercriminal's advantage,” he says.

“If parents understand those risks, but still want to go ahead, there are a few steps to optimising security levels.

·        Check the privacy policy of the gadgets - Is your and your children's data protected when entering information? For example, devices asking for addresses, names, phone numbers, and details about the children's life could also be available for hackers to access.

·        Check if the model or other gadgets of the same brand have had previous security vulnerabilities or privacy risks by searching for the brand name and those terms. Does your family want to risk being spied on? If not, maybe this gadget isn't worth it. Or, if it still seems desirable, perhaps there are configuration options you can change to make them more secure – just remember to make those changes before you connect it to your home network!

·        If there are some requirements to being connected to the internet, double check your Wi-Fi connection is properly secured and install a strong password on the connected device if possible.

·        Get a proper security solution for all your devices. Via toys and baby monitors, hackers can also try to access your personal data through mobiles and tablets.

·        When not in use, turn the gadget off completely.

FitzGerald says several popular network-connected toys and baby monitors have already been shown to introduce major privacy or security risks.

“Further, these are not just from cheap, no-name manufacturers, so do the research rather than assume that because it's a well-known brand it should be safe,” he explains.

“The most important thing here is for parents to understand the risks and then proceed with caution.

 Connected devices:

“When consumers receive a wearable such as a fitness tracker or smartwatch for Christmas, they don't always know the security policies of the relevant manufacturers, how to properly secure their devices, or how to control the amount of data they're sharing with the rest of the world,” FitzGerald says.

“Some wearables use Bluetooth Low Energy, which transmits data but can also be intercepted by hackers – therefore potentially exposing a lot more information and fitness data from wearables than users would like,” he explains.

FitzGerald says scammers can also obtain compromised account credentials on the black market and then try username/password combinations on different systems to see if they work on a targeted website.

Additionally, if a wearable has to communicate with other systems in order to work, but those systems are not properly secured, FitzGerald says the security of the device itself might be an issue.

“Although consumers have to admit there is an associated risk with using these kinds of devices, there are some cyber-hygiene rules to follow if they receive or offer such a gift for Christmas,” he says.

·        If you offer a wearable for Christmas, Google the name of it combined with the word hackfraud or scam. This will help you understand any previous problems and help you make a more informed purchasing decision.

·        Once offered, set up your wearable and any associated online accounts with a unique username and password. These should be hard to guess – use passphrases instead of single words to optimise password security.

·        Review the privacy policy of any device you receive for Christmas. This will indicate how serious the device company is about protecting your data.

“Finally, decide whether all functionalities or features of a device or app are worth using. If not, do not use features that present a high security risk,” FitzGerald adds.