Security and privacy checklist for smart devices: 50 million to be sold over holidays

When shopping for a smart device, are you most influenced by the device’s capabilities, by its coolness factor, or by holiday sales that dropped the price? Do you first review the company’s policies, terms and conditions, the potentially excessive permissions a mobile app will require to control the connected device, or with whom the manufacturer will share or sell your collected data? If you receive a smart gadget as a gift, do you think the giver was wise enough to consider the small print before purchasing, to think of security and privacy before buying the smart device?

The non-profit Online Trust Alliance (OTA) estimates that over 50 million smart gadgets will be sold and given as gifts during this holiday season, so the organization released its first “Smart Device Purchase and Set-Up Checklist” (pdf).

“That’s 50 million opportunities for data and home network compromises as well as privacy abuses, which is why it’s imperative that consumers follow our guidelines,” said Craig Spiezle, Executive Director and President of OTA. “Consumers should not have to pay twice—once with their credit card and then again in perpetuity with their personal data, identity and safety.”

Even if you don’t buy a smart gadget, you might receive one as a gift and end up loving it, like Madelon Smith wrote about on an OTA blog.

I love my fitness tracker. Not only does it affirm me (I met my today’s goal!), it also supports my inner narrative (of course I’m cranky – I slept badly last night… be nice to me). Last holiday season it was the gift I didn’t even know I wanted until I got it. This year, we’re both older and wiser. Trust in our relationship has shifted from blind innocence to practical, mature action. I’ve come to realize more and more about how my device gathers, transmits and stores reams of personal data on me and my habits. Empowered with this knowledge, I see the importance of checking and deliberately choosing the various security and privacy settings and agreements my device includes.

Fitness trackers are just one type of the 50 million connected devices that will be given as gifts this holiday season. Others might include “slow-cookers you can adjust from your office so dinner is perfectly hot when you get home and televisions that remember exactly where you are in which episode for each series you’re binge-watching, no matter the source. Lightbulbs tied to your mood, speakers that recognize when you walk into a room to keep your personal music following you throughout the house.” Smith pointed out, “These connected or ‘smart’ devices seem helpful, supportive and eager to make life nicer. But with them comes an explosion of privacy and security concerns – particularly when gift givers and recipients have those first-love stars in their eyes.”

If you don’t keep up with hacking or security news about smart devices, then you should know that smart TVs are spying on users, wireless IP cams and baby monitors can easily be hijacked, and millions of security cameras are secured by nothing more than default passwords, which means thousands of owners have unwittingly opened digital windows for voyeurs to peep through and watch them in the privacy of their homes. Those aren’t even enough security and privacy examples to qualify as the proverbial drop in a bucket. And then there’s all the data created by Internet of Things devices that gets collected, stored, shared and sold to third parties.

“While people are aware that they need to have security on their connected devices, they don’t always take the necessary steps to protect themselves,” said Brian Witten, Senior Director of IoT at Symantec. “Until device manufacturers build security into their products, the responsibility relies with the consumer. That’s why OTA is driving awareness of this issue with easy-to-follow guidelines for consumers. By following OTA’s checklist, more people will be able to make smarter security decisions about their connected devices and better protect themselves.”

A few of the security recommendations on the Smart Device Purchase and Set-Up Checklist (pdf) include placing the device behind a firewall, disabling remote access to smart devices when it is not being used, and using a wired connection or a guest network to isolate the device from other networks. Below are a few other examples of OTA’s smart device security wisdom:

• Before purchase, confirm your ability to return the device for a refund if upon set up you find the security and/or privacy practices do not meet your personal requirements. If you cannot opt out of sharing data with third parties or are not provided the option of opting in, consider alternative products.
• Before purchase, review the device’s warranty and support policies and verify that security and software patches are provided for the life of the product, beyond that of the warranty offered by the manufacturer.
• Use a unique user name and password which does not identify your family or the brand/model of the device and change them frequently. This can reduce the threat of your device being maliciously targeted by hackers.
• Document all of the smart devices and applications you use. List the company URL, passwords, contact email and phone numbers. Password protect the document or use a password “vault” mobile application.

But since a smart device is connected to the Internet, you also need to consider how the gadget could impact or abuse your privacy. Privacy-related advice on the smart device checklist (pdf) includes disabling microphone and camera when it’s not being used – or at least covering the camera, resetting the device to the factory settings before selling your device, and:

Review the privacy practices of connected devices you own or are considering buying, including data collection and sharing policies with third parties. Reset permissions to reflect your preferences (for example – data collection and sharing, camera and microphone settings and other functions). If your settings cannot be modified, consider the “reset to factory settings” option to force a clean setup.

“The best deals or coolest features aren’t the only things to look for when buying connected devices,” said Susan Grant, Director of Consumer Protection and Privacy at the Consumer Federation of America. “It’s also important to consider privacy and security, and this checklist will help consumers make well-informed decisions in choosing and using these devices.”

OTA also has other smart device resources, such as a smart home checklist (pdf).