SecureMac, Inc.

Checklist 210: Shopping for Internet of Things Things

December 10, 2020

With time ticking down, you may be ordering IoT things for holiday gifts. Be sure what you’re buying is safe! We’ve got a Checklist for that. Plus – 33 vulnerabilities pose a threat to “millions” of IoT devices.

Checklist 210: Shopping for Internet of Things Things

This week on the Checklist, we have some tips and updates to help folks who are shopping for an Internet of Things (IoT) gift. 

An IoT buyer’s checklist

IoT devices make cool gifts. But the IoT is insecure. So what’s the answer? Only buy non-networked presents? Roll the dice and hope Mom’s new app-controlled coffee maker doesn’t get hacked? 

Luckly, there’s a middle ground. You can buy reasonably secure IoT devices … as long as you know what to shop for. Here are 7 essential tips to help you find the safest smart things on the market

  1. 1

    Don’t go off-brand

    We hate to say it, but a lot of IoT security issues just boil down to shoddy development. Only buy from well-established manufacturers with a reputation for high-quality, secure products. Imitations may look the same on the outside, but the security implementation “under the hood” is likely to be a completely different story.

  2. 2

    Think long-term

    IoT devices require security patches from time to time, so take a moment to determine whether or not an item is likely to get this kind of support. If a device is being sold on clearance, there’s a good chance that at some point in the not-too-distant future it will stop receiving updates — at which point your gift will become a security liability…or simply stop working!

  3. 3

    Buy tech from tech companies

    IoT devices are trendy, and tons of companies are now making “smart” versions of their most popular products. However, the majority of these companies aren’t technology companies, and may lack the technical expertise to handle the challenges of secure IoT engineering. Apple, Google, and Samsung employ armies of security experts and software engineers, and have a good chance of being able to do IoT right. The company that makes espresso machines? Less of a sure thing!

  4. 4

    Read the reviews…

    You should read what other people are saying about any product you’re considering, but this is especially important when it comes to an IoT device. For one thing, you’ll get a heads-up on any performance or usability issues that might make it a less-than-ideal gift. But more importantly, if users are complaining about things like infrequent updates, buggy apps, and other technical problems, this points to support and development issues: a definite warning sign when it comes to IoT.

  5. 5

    …and the manual

    Don’t worry, we’re not saying you have to read the whole thing! Just take a moment to check out the manufacturer’s website and look up the user guide or knowledge base articles for the item you’re considering. Skim it to see if the most basic IoT security and maintenance stuff is all there: the ability to change default usernames and passwords, enable automatic updates, and so on. If that info is conspicuously absent, or if you spot a red flag (like no automatic updates or hardcoded credentials that can’t be changed!), you may want to look for an alternative product.

  6. 6

    Skip the toys

    IoT gifts for kids are generally not advisable. There have simply been too many cases of smart toys with serious vulnerabilities … and let’s face it, the company making those IoT teddy bears probably isn’t investing heavily in cybersecurity. If you’re looking for a tech-based gift for a youngster, consider some kind of educational STEAM (Science, Technology, Engineering, Art, and Math) item. High-quality learning apps, iPad-compatible Osmo kits, and Raspberry Pi kits are all good options.

  7. 7

    Keep the receipt

    Of course we hope that people will like the gifts we buy them, but nobody gets it right every time — and if you’re giving an IoT gift, your loved one can’t just shove it in a drawer like an ugly sweater! Always try to give the recipient of an IoT gift an “out” in case they don’t like it, or in case they don’t feel comfortable taking on the potential security risks that come with a networked device. Keep that gift slip so that they can return or exchange it for something else if that’s what they choose to do.

IoT security woes

You know how to buy safer IoT gifts. But really … is the Internet of Things actually as vulnerable as everyone says it is

You be the judge.

The Cybersecurity and Infrastructure Security Agency (CISA) has just issued a bulletin warning consumers about the discovery of 33 vulnerabilities that affect millions of IoT devices around the world.

The security flaws were uncovered by researchers at the cybersecurity firm Forescout, who are calling this group of vulnerabilities “AMNESIA:33”. AMNESIA:33 threatens a wide range of IoT devices: everything from home smart gadgets like security cameras and thermostats to industrial control components and medical devices. 

According to the researchers, the vulnerabilities comprise memory corruption bugs — bugs serious enough that attackers could use them to “compromise devices, execute malicious code, steal sensitive information, and perform denial-of-service attacks.”

You may be wondering why AMNESIA:33 seems to affect so many kinds of devices. The answer is that the vulnerabilities aren’t specific to any one manufacturer: they’re found in the open-source software protocols used by over 150 different IoT vendors. In other words, the digital “components” used to build all sorts of smart things are, themselves, vulnerable — and thus by extension, any devices that include the flawed software are vulnerable as well. According to CISA, there aren’t any active exploits for these vulnerabilities at the moment, so that’s one encouraging bit of news in this otherwise worrying story.

In terms of fixing the issue, it’s mostly going to fall to individual IoT vendors to issue patches for affected devices. But is there anything that you can do? Yes, definitely: If you have IoT devices in your house, take a moment to check the manufacturer’s website for updates and patches, and be sure to install them as soon as possible.

If you happen to be a HomeKit user, there’s some additional good news: Apple’s native protocols weren’t affected by AMNESIA:33 at all. However, some HomeKit compatible devices themselves use non-Apple software, so you should still check for and run updates to be on the safe side.

Do you have a question that you’d like to hear answered on the Checklist? Write to us and let us know! If you’re looking for more secure shopping tips, have a listen to Checklist 208, which has a great overview of best practices for safe holiday shopping in 2020. You may also want to read about the threat posed by e-skimmer, or learn how to spot (and avoid) scam Facebook ads.

Get the latest security news and deals