Blog: Consumer Advice

Advice on buying ‘smart’ gadgets for Christmas

Ken Munro 21 Nov 2018

Christmas isn’t far off, and many of you will be in full present buying mode. In the world of smart-this and connected-that there is more at stake than ever before, and we’re not talking about whether batteries are included or not.

As we’ve been testing the security of smart products for over 5 years now we thought it’s time for some seasonal advice on what you should be looking for when buying smart gifts this year.

Here are my Five Top Tips on buying smart gifts, and what to look for if you’re concerned about the privacy and security of your loved ones- which you jolly well should be.

Tip 1: use Google!

Pop the name of the smart gadget or toy in to a search engine and add the word ‘hack’, ‘security’ or ‘vulnerability’

e.g. My Friend Cayla hack

It’ll take you moments with a smartphone and might save you throwing that ‘thing’ away later over security concerns

See what comes up – if there are discussions about serious security issues, DON’T BUY IT

Tip 2: does it have a microphone, speaker or camera?

If so, your ‘spidey senses’ should be tingling. We’ve looked at loads of products that hackers could use to invade your privacy, groom your kids and worse

Home security cameras that allowed anyone on the internet to see video of your living room or bedroom? Just… wow

What does the manufacturer say about security on their web site? Do they use words like ‘military grade’ or ‘bank grade encryption’ or jargon like ‘AES 256’ or do they say nothing at all about security?

If so, then I think they don’t have a clue. You need to feel reassured about security – I would expect a responsible manufacturer to have a whole page on their web site talking about having their security independently reviewed and the processes they follow to keep your data safe.

Tip 3: download their app

Do it. Before you buy, download their app from the App Store or Play Store to your phone. If you buy it, you’re going to need the app anyway, so you won’t be wasting time.

Click on the ‘create account’ or ‘login’ section. What we want to know is whether they’re playing safe with the password you’re going to create

Create an account – add a temporary or throwaway email address then try to set the password of ‘password’.

See what happens. Was it rejected for being too weak?

If so, try ‘Password1’ and see if that works.

Most times, that will work. If so, the manufacturer is showing that they really don’t care.

It shouldn’t be possible to create poor passwords, as you would expose you and your family to trivial compromise by hackers. There’s further advice on passwords here https://www.pentestpartners.com/security-blog/password-re-use-the-game-is-changing-so-use-a-password-vault/.

Tip 4: check for a bug bounty programme

What on earth is that??

Smart product manufacturers who care about your security encourage hackers and researchers to report security flaws to them, so that they can be fixed quickly.

This is called ‘bug bounty’ and usually involves the hacker/researcher being paid some cash as a ‘thankyou’

Search online for ‘bug bounty’ and the name of the product or the manufacturer e.g. ‘tesla bug bounty’

If you find one, that’s a good sign that the manufacturer gives a damn about your security.

Big names in bug bounty programme management include ‘HackerOne’ and ‘bugcrowd’ among many, so you can click through to their sites to check

Tip 5: read the manual before buying

This one is a bit more involved, but checking how the smart product connects to your phone and your home can tell you a LOT about its security.

Go to the manufacturers web site and find the manual. Find the pages that deal with connecting to the smart thing for the first time

If Wi-Fi: how do you connect your phone to the device for the first time? Does one have to press a button on the ‘thing’ first? If so, that’s a good sign

Or, is the Wi-fi wide open without any passwords, or with the same password for all devices? That’s not good

If Bluetooth: again, do you have to press a button on the smart device to put it in to ‘pairing’ mode or can anyone connect to it at any time? That’s not good if so

Having a button press or similar before anyone can connect for the first time is a good thing. It means that you can decide when someone can connect to your smart thing.

Isn’t there an easier way? A badge or certificate?

Sadly not. Whilst lots of governments and standards bodies around the world are working on this, there’s nothing widespread currently.

Watch out for California State Bill 327 in 2020 that bans insecure smart products.

Also watch out for the EU ENISA Cybersecurity Act and the UK DCMS ‘Secure by Design’ framework too. There will be certification in time, just not yet.

In the meantime

Stay safe out there. Feel free to drop me questions about IoT security and do send me tips on smart products you’ve seen that you are worried about.

@TheKenMunroShow

[email protected]