’Tis the season for giving gifts. And increasingly, those shiny new toys and gadgets can be connected to the Internet—from TVs to watches, speakers to Barbie dolls.
That Internet connection opens up a ton of possibilities for how we can use and enjoy our new devices. (“Alexa, play my Christmas playlist on Spotify, and also order my favorite pizza from Domino’s,” says my future self. I’m looking at you, Santa.)
But it also makes us more vulnerable to cyber attacks, whether it’s hackers infiltrating a device’s connection to swipe sensitive personal information or wielding our possessions as cyber weapons against businesses and organizations.
Hackers’ gateways into our homes are only growing more numerous. One recent study by Canadian networking firm Sandvine found that the average home in North America uses at least seven connected devices each day.
Meanwhile, a report this year by Pwnie Express—a Boston-based startup that helps businesses detect nearby rogue devices that might pose a threat—assesses some of the most vulnerable connected devices, from HP printers to tablets and phones made by Samsung, LG, and Coolpad.
“Any connected device can be vulnerable and any can be safe,” says Paul Paget, CEO of Pwnie Express, in an e-mail to Xconomy. “It really is about buying secure devices and then behaving in a cyber-smart manner. Manufacturers need to do a better job of incorporating cybersecurity in their products. However, consumers also need to be better educated and follow some simple steps” to secure their connected devices, he adds.
To put together a list of recommendations for readers, Xconomy tapped the expertise of Paget, Xerox CTO Sophie Vandebroek, and LogMeIn CTO Sandor Palfy. The trio spoke about securing connected devices at Xconomy’s recent “State of Cybersecurity” forum, and after the event we solicited more details via e-mail.
Here are their top tips for securing the growing stock of connected devices in people’s homes:
1. Do your homework before buying. This might be a moot point if your connected device was a gift (although that’s why they invented gift receipts). Either way, Palfy and Vandebroek recommend researching what security measures (if any) the product manufacturer has put in place.
“Be skeptical of devices that don’t require basic security measures like strong passwords,” Palfy says.
And watch for security notices about the product after purchasing, Vandebroek adds.
Palfy also recommends researching what data the product manufacturer collects.
2. Secure your Wi-Fi router. Before hooking up your new gadget to the Internet, here are some defense measures Palfy and Vandebroek suggest for your home’s router:
—Set a strong password for the router.
—Turn off the setting that broadcasts the router’s presence to nearby devices, even if access to your network is password-protected.
—Disable the router’s remote management capabilities.
—Don’t allow incoming connections, meaning devices on your local network should not be accessible via the Internet.
—Disable the “Universal Plug and Play” setting. (More on that here.)
—Encrypt the data being transmitted via the router.
—Make sure you’re using an https Web page to configure your router’s settings because such websites are encrypted. “This is usually a small Web page hosted on the device itself and accessible from a Web browser,” Palfy says. “Most devices come with an unencrypted http interface and the end user has to enable” https.
For more router security tips, check out this article recommended by Vandebroek.
3. DO NOT USE PUBLIC WI-FI UNLESS YOU REALLY MUST. Paget put this tip in all caps, so clearly the risk of hackers intercepting information transmitted over a public connection is not to be taken lightly.
During the times when using public Wi-Fi is a necessity, just be careful.
“It’s important in those moments to avoid going to unfamiliar websites or opening e-mails from people you don’t know,” Paget says, when asked about using a public Wi-Fi network on a smartphone. “Get what you need, and then get out and turn off your Wi-Fi. If you have to take one risk, don’t put yourself in more danger.”
Or use the device’s cellular connection, if possible. That’s usually a safer bet than public Wi-Fi, Palfy says. “It is very easy to set up a malicious [Wi-Fi] hotspot, but you need special equipment to do the same with cellular,” he says.
You might also consider setting up a virtual private network to use over a public connection, Paget says. He mentions Witopia’s VPN service as one option.
4. Change your connected device’s factory default login credentials. “Don’t just plug in your new connected product,” Palfy says. That’s because many devices arrive installed with generic login information that can be found through a Web search.
Vandebroek says you should replace the device’s default login info with a strong administrator password and unique username, if possible. Palfy also recommends using two-factor authentication when accessing the account you use to manage the device. That means in addition to entering a username and password to access the account, you would also be asked to enter a second piece of identifying information, such as a code sent to your smartphone via text message.
Bottom line: slow down and take your time with the initial setup of the device, making sure you read each step of the instructions and choose the strongest security options possible, Vandebroek says.
“Most of the time this is not the default setting,” she says. People often “rush through the setup to start using the device, and then never go back to change the factory default settings. This is not only important for security but also for privacy.”
For example, you might want to configure the device so it doesn’t track your usage, or turn off the always-listening setting of voice-controlled products like the Amazon Echo.
5. Maintain the latest version of the device’s software. “Regularly check for security patches and firmware updates for your devices,” Palfy says. Not all devices’ software can be updated post-purchase, Vandebroek says, but be sure to install updates if possible.
6. Keep device access to a minimum. “Ensure only trusted users have access to your device,” Palfy says. (Added benefit: This is a built-in excuse to hog your new toy.)
7. Just because you can connect it to the Internet doesn’t mean you must. Paget recommends manually controlling each device’s Internet connection. That means: turn off Bluetooth and Wi-Fi connections when you aren’t using them, always have the device set to “Ask to Join Networks,” and don’t allow the device to “remember” wireless networks and automatically connect, he says.
Perhaps some Internet-enabled gadgets should simply be left offline. “Take inventory of the connected things around your home and think it through which ones need to be connected and which ones may not,” Palfy says. “For example, if you never use the ‘smart’ functions of your TV, turn off the Wi-Fi to limit potential entry points.”
[Pictured above are the Amazon Tap, Fire TV, Echo, and Echo Dot. Photo courtesy of Amazon’s online press kit.]