Your presents are spying on you

Christmas Day is very near, and many of you give or receive internet enabled technology gifts.  In the world of smart-this and connected-that there is more at stake than ever before, and we’re not talking about whether batteries are included or not.

As I’ve been testing the security of smart products for over 5 years now I thought it’s time for some seasonal advice on what you should be looking for when buying smart gifts this year.

Here are my Five Top Tips on buying smart gifts, and what to look for if you’re concerned about the privacy and security of your loved ones- which you jolly well should be.

Tip 1: use Google!

Pop the name of the smart gadget or toy in to a search engine and add the word ‘hack’, ‘security’ or ‘vulnerability’ e.g. My Barbie doll hack

See what comes up – if there are discussions about serious security issues, DON’T BUY IT.

Tip 2: does it have a microphone, speaker or camera?

If so, your ‘spidey senses’ should be tingling. I’ve looked at loads of products that hackers could use to invade your privacy, groom your kids and worse.

What does the manufacturer say about security on their web site? Do they use words like ‘military grade’ or ‘bank grade encryption’ or jargon like ‘AES 256’ or do they say nothing at all about security?

If so, then I think they don’t have a clue. You need to feel reassured about security – I would expect a responsible manufacturer to have a whole page on their web site talking about having their security independently reviewed and the processes they follow to keep your data safe.

Tip 3: download their app

Do it. Before you buy, download their app because you’re going to need the app anyway, so you won’t be wasting time.  Create an account – add a temporary or throwaway email address then try to set the password of ‘password’.  See what happens. Was it rejected for being too weak?

If so, try ‘Password1’ and see if that works.  Most times, that will work. If so, the manufacturer is showing that they really don’t care.  It shouldn’t be possible to create poor passwords, as you would expose you and your family to trivial compromise by hackers.

Tip 4: check for a bug bounty programme

What on earth is that??  Smart product manufacturers who care about your security encourage hackers and researchers to report security flaws to them, so that they can be fixed quickly.  This is called ‘bug bounty’ and usually involves the hacker/researcher being paid some cash as a ‘thankyou’.  Search online for ‘bug bounty’ and the name of the product or the manufacturer e.g. ‘tesla bug bounty’

If you find one, that’s a good sign that the manufacturer gives a damn about your security.

Big names in bug bounty programme management include ‘HackerOne’ and ‘bugcrowd’ among many, so you can click through to their sites to check

Tip 5: read the manual before buying

This one is a bit more involved, but checking how the smart product connects to your phone and your home can tell you a LOT about its security.  Go to the manufacturers web site and find the manual. Find the pages that deal with connecting to the smart thing for the first time

In the meantime

Stay safe out there. Feel free to drop me questions about Internet of Things (IoT) security and do send me tips on smart products you’ve seen that you are worried about discprivacy@gmail.com