This holiday season, you can count on just about everyone to shop smart, and I mean that in both senses of the phrase. Everybody wants to get the best deals and the most bang for their buck, yes, but I’m also talking about the internet of things, those smart devices of every form and function that currently dominate the holiday catalogs of Walmart, Target, and every other big-box department store. With Amazon launching a whole new line of Alexa products, including a digital assistant for your car, a voice-controlled microwave, and even a “smart plug,” we can now fill our homes with enough gizmos and gadgets that we’re beginning to resemble The Jetsons.
IoT devices are wondrous tools, enhancing our creature comforts by marrying them with our digital world. But therein lies their darker side as well. Every device you connect to the internet creates a doorway into your home, and you want the best security around every one of those doorways to be tight and dependable. Your personal info, your identity, and your safety could all be at risk, and that is not over-dramatizing. So how do you know which devices to trust? Which ones are good deals, and which ones are not?
If you’re thinking about buying a connected device for a loved one – or even yourself – this shopping and security guide is a must-read.
When IoT goes wrong
The tricky thing about IoT devices is that they really do serve as the perfect attack vectors. They expand the attack surface of your home by creating the doorways mentioned above, and they do it “under the radar,” as it were, since the general public doesn’t fret too much that they’ll be attacked through their baby monitor or smart thermometer.
But sadly, cybercriminals know all too well that it’s possible. In fact, that’s exactly what’s been happening.
Like something out of the next Oceans 11 film, cybercriminals infiltrated a casino through the smart thermometer in one of its aquariums. Who would have thought that this simple device, being used only to make sure a few fish have water that’s warm enough, could be used to burrow into the casino’s most top secret database? When everything is connected, everything is accessible.
How to choose the best IoT devices to gift, even for yourself!
Like the retail industry, the IoT universe consists of a great number of excellent products and an evengreater number of less-established knockoffs. These better-priced-yet-sometimes-inferior products are tempting to buy, but the low cost to your wallet may translate to a high cost to your privacy if you purchase a cheaper version that has poor security.
Before buying any IoT device, check this list and check it twice:
Compare the price — Check the price of the device against other comparable products. If it’s in the same ballpark, that’s a good sign. If it’s drastically lower than its competitors, you have to wonder why and dig a little deeper.
Look at the brand — If it’s not a well-known brand, look it up to see which retailers sell it. Then, on the manufacturer’s web pages, look at how much info you can find on the device: do they support it, what are the tech specs, do they mention future software/firmware updates, when was the last time they issued updates, etc.
Observe the website’s design — Does the manufacturer in question use http or https? The more security-conscious products will definitely use https, the internet protocol that encrypts the connection between you and the website. Note: here, we’re talking about the security of the product’s website, not the product itself. But the effort the company does or doesn’t put into website security could be indicative. Also, if the specific product being considered has management pages or a portal on the internet and the login page uses HTTP, pull back and re-consider your purchase.
Review the capabilities — What info does the device collect? Does it use a microphone or a camera? Consider the data it will access so that you understand the risk involved, should that info get compromised. And ask yourself if it makes sense that the device accesses that info. If not, think again about whether you really need the device.
Check out the CVE details — CVE stands for Common Vulnerabilities and Exposures, and there is a site available for public reference that lists manufacturers and all known vulnerabilities associated with them. Look up the maker of the device you’re considering on the CVE vendor page. Check for any reports of high-security vulnerabilities. Poke around further on the site to look up specific versions of specific products.
Look up user reviews — If there are any available, read user reviews on the product. Check the rating and number of downloads to get a sense of whether others praise it or have had problems with it. Look at both positive and negative reviews — do they seem like they are real reviews with enough detail that makes sense, or are they one-word reviews just giving it 4 or 5 stars?
Consider the setup process — Does it mention anything about security? Does it suggest you change the default password to something complex? If the setup process basically instructs you to turn it on and let it go, without any mention of security and protection, it could be a red flag.
The bottom line here is that if the device is not made by a well-known brand and if it’s priced much lower than comparable products, you should dig deeper to see if anything leads you to believe it’s not a company you can trust. Follow the suggestions above to identify more tell-tale signs of whether the product you’re considering is a yay or a nay.
Comparison shopping for IoT devices
For an example of comparison shopping for IoT devices, check out these charts. We looked at the latest voice assistants, wearable fitness products, smart doorbells, smart speakers, and even smart vacuum cleaners. We compared support, capabilities, and price, and made sure to include at least two lesser known products in each list.
You’ll see that a lot of the alternative products do not have a full website, do not have easy-to-access support, and in many cases there is no “how to update” or general update information available. These could be clues that in the long term you won’t receive technical support or future updates (one of the best ways to ensure the security of IoT devices over time).
This is not a guarantee of 100% security, nor are we endorsing these products, but the information below may make you think twice about your purchase, whether it’s for your loved one or yourself.
Smart watch that is a cheaper version of many others in the market, enticing because it offers many features the leading brands offer, but no website besides Walmart has any information about this product
Connected robot vacuum cleaner that vacuums your floors
No support page on website that we could find
No software update info available online
Securing your IoT device
Okay, so let’s say you did your homework, made a purchase, and presented your gift to the lucky recipient. Your work as a gift-giver is not over yet. The next crucial step is to remind them (including yourself and your family members) that setting up the device with strong security is a non-negotiable. Bookmark this blog post and follow these final essential steps for top IoT security:
Change the default password on the device to something uncrackable. Use these best practices for passwords to concoct your own. If the device allows for 2FA (two-factor authentication), enable it.
Do the same as above to your router. When you add a new device, it’s a great reminder to change your router’s password at the same time. And if it too allows 2FA, enable it. (If you’ve never changed your router’s default password, please drop everything and do so immediately.)
Watch for updates for your device’s software or firmware, and install them as soon as they become available. This will keep your device running at optimum performance with the highest security. It’s worth noting that devices such as the Amazon Echo and Google Home Assistant automatically update the software or firmware without any action required by the user.
Once the holiday season is behind us and the decor is placed back in the attic, households all over the world will contain more IoT devices than they do now.
Attack surfaces are increasing, but that doesn’t have to deter you from enjoying these wonders of the modern world. As long as you choose your IoT purchases carefully and accept the responsibility of setting up their security, you can deck the halls merrily with the coolest holiday gifts of the season.