A British security researcher recently demonstrated how easy it is to turn Amazon’s Echo into a listening snoop. While the potential security threat is applicable only to Echo devices sold prior to 2017, it brings up a very important question you should ask about all your IoT devices: where did my device come from?
Here are several recommendations to follow when you are considering a new IoT device purchase.
Avoid the Used Marketplace
When you purchase on the used marketplace you are placing a lot of trust in the goodwill of the previous owner. A malicious prior owner could install malware that provides an access point to attack other parts of the network, allows access to the owner’s device account, or installs ransomware.
Based on his experience compromising the Echo, the British security researcher believes his work should serve as a warning that Echo devices bought from someone other than Amazon—like a second-hand seller—could be compromised. Amazon itself reiterates this stance, saying in a request for comment from WIRED “to help ensure the latest safeguards are in place, as a general rule, we recommend customers purchase Amazon devices from Amazon or a trusted retailer and that they keep their software up-to-date.”
Be Wary of Devices in Public Places
Wynn Las Vegas recently announced that they will install Echo devices in the 4,000+ rooms at the property. While this provides added convenience for lighting and temperature control, it introduces potential privacy concerns. After all, you don’t know who has access to the device.
Similarly, you might want to avoid placing your device in a public place where others have access – such as an office.
Identify a Trusted Manufacturer
According to research conducted by Hewlett Packard Enterprise (HPE), 60% of the tested IoT devices raised “security concerns” with their interfaces, including poor session management and weak default credentials. And 80% of devices either required no password or permitted passwords of insufficient complexity, such as “1234.”
Jason Hong, an associate professor of computer science at Carnegie Mellon University who studies the safety of IoT products says:
“Security is hidden, so it’s really hard to know if a device has good security features. It’s even hard for experts. It takes a lot of time and energy.”
Consider who’s manufacturing the device you are evaluating. Is this a large and reputable firm who has invested in security? Or is this a newcomer? Or a no-name manufacturer? What is their stance on including security features and protecting privacy?
Vet Your Manufacturer
As you’re assessing a purchase, delve into these areas to determine how seriously the device manufacturer is about security:
- Does the manufacturer encrypt data? Non-encrypted data could be intercepted by hackers. Encryption is widely used to protect important data, like your bank data or iPhone contents, but it’s often not employed on devices sold for use in the home.
- Does the manufacturer require you to set a strong password? A very good way to do this is for the manufacturer to require this during initial setup. No strong password means no access to device features.
- Does the manufacturer send out updates and patches to fix vulnerabilities? This is a regular practice for vendors such as Microsoft and Apple; it should be a practice of IoT device makers as well.
- Does the manufacturer provide a method to securely wipe the device in the event you might later part with the device?
For additional questions to ask before you buy, check out How to Choose a Safe IoT Device.