My friend Diane received a fitness tracker for Christmas. It's the same model I use. Since the holidays, Diane has emailed me every other day with questions about her new gadget, trying to figure out its nuances.
There was one question she didn't ask, however, and it may have been the most important one: Is it safe to transmit data between the fitness tracker and her smartphone?
For this particular model of fitness tracker, syncing it with a phone or computer isn't necessary unless you want to calculate a lot of extra data. That's one of the primary reasons I use this one instead of another model.
But for many fitness trackers, data transmission to another device is essential if you want to know how many steps you've taken, or how many calories you've burned, because those trackers don't have their own displays.
With that constant flow of data between devices comes security and privacy risks. Smartphones often leak personal data — and there's no reason to think wearable devices such as fitness trackers and smartwatches are any different.
IoT Security Risks
My friend was one of millions of Americans who received a holiday gift that could be classified under the general auspice of the Internet of Things (IoT) — fitness trackers, smartwatches, home security systems and so on. If it is not a computer, smartphone or tablet, but still connects to the Internet, it fits the description. Yet most of us don't think twice about the security risks such devices pose.
Most of us understand that when we log on to our computers to check email or work online, there is always a security risk. You could accidentally open a malicious attachment or come upon a drive-by download due to embedded malware on a favorite website. Smart computer users have taken precautions against these risks by installing antivirus and security software.
What many of us don't realize, however, is that the devices that make up IoT are equally at risk for a security threat.
"As connected consumer devices become more powerful and gain more capabilities, they will become more attractive targets for malicious actors looking to exploit these capabilities," said Rob Sadowski, director of technology solutions at RSA in Bedford, Massachusetts. "For example, we have already seen attacks exploit vulnerabilities in consumer routers for use in DDoS attacks and consumer NAS [network-attached storage] devices for illicit cryptocurrency mining."
Unfortunately, just as the risks involving IoT have never been greater, security on these devices tends to be an afterthought, if it is even considered at all.
"Many vendors in the IoT space seem to have little or no concern regarding the safety and security of their customers," said Craig Young, a security researcher with Tripwire in Alpharetta, Georgia.
The government seems to agree. Just this month, the Federal Trade Commission released a long report urging IoT device makers to "build security into their devices at the outset, rather than as an afterthought" and recommending that Congress pass laws mandating consumer notification of IoT-device security flaws.
Take smart home hubs, for example, which let homeowners automate their electronics and their overall security. Young warned that these hubs tend to come with a lot of risks. For example, one of the top-selling home-automation hubs — Young wouldn't say which one — currently ships with a deprecated version of firmware that contains numerous publicly known vulnerabilities, as well as a handful of new vulnerabilities.
"Despite these serious security problems," Young said, "the vendor has not updated the firmware in this device for over a year, even though they have since developed a somewhat less vulnerable firmware. Even worse, the vendor has stated they have no intention of encouraging their users to upgrade."
How to Be Smart About Your Smart Devices
Any homeowner who receives a smart home hub as a gift, or buys one outright, should take every possible security precaution with the device. He or she should change the default password, check for secure configurations, make sure that the home Wi-Fi system is securely protected and, last but not least, check the device manufacturer's website to see whether patches or firmware updates are available.
Many of the wearable devices received this holiday season require a Bluetooth connection in order to sync the data with a smartphone, but you might want to reconsider leaving that connection open.
"For Bluetooth-enabled devices, it's best to turn off Bluetooth when it's not being used," said Michael Kaiser, executive director with the Washington-based National Cyber Security Alliance. "It can save your battery a bit, too. This will not allow other Bluetooth devices to pair with your system or access your device."
Of course, there would be no Internet of Things without the Internet. Owners of IoT gadgets need to follow the same basic security protocols they would use on their computers.
"All consumers should take the time to look at the available security features for their device and enable them immediately," said Chris Czub, security research engineer at Duo Security in Ann Arbor, Michigan. "Things such as passcode lockout or fingerprint-controlled access, while not perfect, are important for controlling who has access to your device."
Czub recommended that home routers have strong, unique access passwords and use the WPA2 security protocol. If your router is still uses the older WEP protocol, with your dog's name for the password, then you're putting your home network at risk.
Individual devices should have access passwords as well, he added. You don't want a teenager halfway around the world to hijack the Webcam trained on your baby's crib. If there's no obvious password to a device, ask its manufacturer whether one can be enabled.
Finally, owners of smart devices should keep checking for patches and updates on the manufacturers' websites, Czub said. Many IoT vendors haven't nailed down processes for automatically delivering trusted patches. Some devices may not even be capable of being patched, or may require manual installation of patches. Regardless, keeping all devices (including smartphones, computers and routers) up-to-date is one of the easiest ways to prevent vulnerabilities from affecting you.
The bottom line is that consumers need to think of, and treat, IoT devices as they would any other computing devices on their networks. If it can connect to the Internet, it can be hacked or compromised. Just like your computer, your new device — even that fitness tracker — needs to be handled with good security practices from the moment you first turn it on.
- How Smart Homes Have Dumb Security
- 10 Things You Didn't Know Could Be Hacked
- How the Internet of Things Could Kill You