SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Safely Shopping for Technology This Holiday Season

Posted on November 23, 2017

The holiday shopping season has arrived again — and with this episode, we’re turning our attention to some security issues specific to this time of year. With Christmas coming up, you might be looking at all kinds of electronic gadgets for your friends and family. From tech-based toys to Internet of Things products, retailers have more web-connected devices available for us every year.

While it’s certainly a fun time of year, opening some of these gifts during the holidays could also mean opening up your loved ones to a whole new world of security vulnerabilities. You will want to know about these risks beforehand — no one wants to find out something bad about a gift after the fact. You may be put in the position of having to return a gift, or chosing to live with the risks.  Neither is a very appealing option.

That’s why we’re here to break down the issues and give you some helpful pointers for this holiday season. We’re not hitting specific products today — instead, we’ll clue you in to what you should keep in mind when you’re shopping online or joining the crowds at the mall. Today’s topics include:

  • Safe holiday shopping for the kids
  • Connecting your living room — important info on Smart TVs and more
  • Apple’s HomeKit — is compliance enough?
  • Creating a smart approach to your entire shopping experience

Safe holiday shopping for the kids

The toy store is the first place we want to head to with today’s show. While we’ve had tech toys for many years now, there are still some lingering assumptions out there that we need to dispel. There’s often the sense that because a toy store — a place geared for children — puts a product on its shelves, someone has vetted and approved that product. We like to assume that manufacturers are always on the lookout for our children, and thus we also assume that what we can buy in the store will generally be safe to use. That’s not always the case.

The so-called group of “smart” devices we’ve talked about plenty on this show isn’t just limited to household appliances like Amazon Echo, web-connected fridges, lightbulbs, and so on. There are tons of Internet-enabled toys out there for kids, too. Just as we see a lack of real concern for hardening against hacks and general security with many Internet of Things devices, the same is true for these products.

Just because they’re toys for kids doesn’t mean the manufacturers are automatically going to put more work into the security side of things. Back in Episode 42 of The checklist, we discussed some of these issues in greater depth. One of the products that we covered was a web-connected Barbie doll that could be hacked and turned into a very basic spycam. Other toys left audio recordings made by children and parents openly accessible on the web for savvy users.

Problems like these, coupled with a general lack of regard for security, even led to the FBI publishing a statement back in July warning parents to beware of Internet-connected children’s toys. This document pointed out the specific risks inherent in some of the sensors used in these products, such as microphones and GPS units. It’s safe to say that you might often be better off taking a pass on these toys in favor of something that doesn’t demand an Internet connection.

What steps can you take to know whether such a toy is safe? It’s difficult to know just what steps a company takes during development, or even if they had a team dedicated to building security into the toy. That means there’s always some risk present in these purchases. However, you can help yourself by reading the company privacy policy and considering how they handle the data, if you can find that information. Do your homework and make a careful consideration before you choose to purchase one of these toys.

Of course, kids don’t play with their toys forever, and today, it’s more and more common for our children to have tablets or even smartphones of their own. Maybe you’re thinking about picking one of these devices up for your children this season. The good news, of course, is that you can trust the device itself to be secure in most general ways, especially if that device is an iPhone. You don’t want just to hand the phone to your kid and turn them loose on it, though — take the appropriate steps to make sure it’s a safe experience.

Apple has implemented plenty of parental controls in the form of restrictions, which you can set up and control with a private passcode that only you can use on your child’s device. You can use these restrictions to help provide a safer Internet browsing experience while also protecting your child’s personal information. Do you want to make sure they don’t go on a spending spree on the App Store? You can disable access to iTunes and the App Store altogether, or you can disable In-App Purchases specifically. Apple’s goal has been to give parents control over their child’s device for peace of mind.

We’ve touched on this topic before as well. We covered everything you need to know about child-proofing iOS devices in Episode 24, and we hit child-proofing a Mac the next week in Episode 25. If you want to know more specific details about how to make these digital environments safer for kids in time for the holidays, be sure to head back into our archives and give them a quick listen. With the risks that are still inherent in IoT-based toys, maybe it’s a better time to turn your attention back to a classic Lego set — anything that doesn’t require your Wi-Fi password!

Security in the Living Room: Smart TVs and Other Devices

Let’s shift our attention from the kids’ room to the living room, where the whole family gathers together. The TV set has come a long way from the way it was even ten years ago, to say nothing of the “big screen TVs” we had back in the 1990s that weighed hundreds of pounds. Today, it’s not just about the size of the screen, though larger TVs remain popular. It’s all about 4k resolution, highly dynamic colors, and of course — “smart” features. Smart TVs have been around for some time now, with early models gaining some widespread adoption in the mid-2000s. What makes these TVs different?

The answer is “not much” — a Smart TV is essentially just a regular television that can also connect the Internet. Early Smart TVs touted their ability to let you browse the Internet from your couch. Today, that connectivity is more often used to power some software apps built directly into the TV’s firmware. These apps let you fire up YouTube, Hulu, Netflix, and many other streaming services directly on your TV. The web browser is still around, but it’s far from the main attraction. For families who want to enjoy content on their favorite streaming services, or for cord-cutters escaping their cable company, these sets can look like an attractive and sensible purchase.

They aren’t the only option or the only way technology has changed our media consumption, though. Another solid option if you want to stream your video content is a set-top unit like the very popular Roku, or the Apple TV. These dedicated devices were purpose-built just for streaming music and video from your favorite services, and they partner with many providers to integrate seamlessly into their systems.

Let’s connect all this to the topic at hand for today’s episode. What are the security concerns that go along with these products? We’d like to say there aren’t many at all, but that’s not the case — especially and particularly in the case of Smart TVs. Overall, even high-end Smart TVs have a poor track record when it comes to privacy, security, and even their reliability as a product. Instead of rushing out the door to nab Black Friday deals on the latest unit, hit the brakes and think about the real issues these items face.

Researchers and others have demonstrated that several major Smart TVs are wide open to attack and exploitation — which is especially unsettling when you consider that some of these TVs come with built-in cameras and microphones. In fact, the CIA deployed a hack that affected a specific group of Samsung TVs from 2013. This exploit put the TV in a “fake sleep,” where the TV appeared off but actually remained powered on, able to collect information or serve as another attack vector. Another potential hack demonstrated earlier this year used a “rogue” TV signal with data embedded into it to take control of several Smart TVs. The security risks there are real.

Their digital nature can make them troublesome to use, too. In August 2017, Samsung rolled out an automatic software update to their Smart TV customers in the United Kingdom. We know updates are meant to be good, but this one wasn’t — the update was full of glitches that caused the TVs to stop functioning altogether. With tons of unhappy customers, it still took Samsung more than a week to deploy a fix that restored functionality. In the meantime, none of those users could watch their TV!

Smart TVs have some other drawbacks, too — they become obsolete very quickly, especially compared to devices like the Apple TV and Roku. Netflix, Hulu, and other streaming providers must all provide apps specific to each Smart TV model for them to function correctly. Naturally, this requires a large chunk of development time and resources.

As a result, providers often only support the most recent Smart TVs with updates and the latest features. Netflix publishes its own list of recommended Smart TVs so users can tell which units will receive support; meanwhile, they phase out previous models and end support over time. As a user, you lose access to the latest and greatest streaming features while also remaining vulnerable to future security problems.

When it comes to the set-top devices, though, the score is completely different. Roku, Chromecast, and other manufacturers make security a priority on their devices as a selling point. These all receive regular updates to not only add features but also to patch bugs and vulnerabilities. Apple TV is the same. Powered by tvOS, its software has a lot of features in common with iOS — including its hardened security. tvOS receives regular updates and patches to fix security loopholes, just like other Apple products.

It’s also very easy for app developers to port their iOS apps over to tvOS, so you know access will always be available. Apple’s market share through iOS provides a peace of mind that your Apple TV and other devices will have a very long support life. These units have another advantage over Smart TVs to consider: they’re much cheaper, even compared to a brand new “dumb” TV. If a security problem arises with one of your set-top devices that the vendor can’t or won’t fix, replacing it with a new, similar device will be simple. We can’t say the same would be true for replacing a $3000 4k Smart TV suffering from a massive security hole.

Does HomeKit compliance guarantee security?

The problems in many Smart TVs and the children’s toys that hit the market with glaring security flaws are just more evidence that for right now, we’re still in the Wild West of the Internet of Things. There’s no central authority out there to ensure compliance with good security practices, so there’s no “sheriff” in town to lay down the law and stop bad products from hitting the market. Until we see legislation or regulation aimed at driving more of these companies onto the right path, we can probably expect the issues with some IoT devices to continue.

Ultimately, these products are only as secure as their vendors make them — and that requires that the vendors spend time thinking about security in the first place. With so many products churned out to hit the shelves as fast as possible, it’s easy to almost skip security, with the idea of “we’ll address it later.” That’s why we end up with millions of flawed devices in operation, and it’s why we end up with these devices enslaved by things like the Mirai botnet. It’s just a short hop, skip, and jump from a flawed device to a DDOS attack on huge chunks of the Internet.

For Apple’s part, though, they’ve decided to take the initiative. Instead of leaving things to chance, they’ve stepped up to the plate to act as a sheriff on their own. They’ve done this through the creation of the HomeKit Accessory Protocol, a compliance program that they require IoT devices to adhere to if they want affiliation with Apple products and systems. With the vast number of consumers Apple can reach, and with IoT controls built in to the Mac and the iPhone, it’s to a manufacturer’s advantage to receive a HomeKit certification.

Up until recently, that certification required the vendor to use a special chip inside their product — the Apple Authentication Coprocessor. This chip was a logic unit designed to handle special security functions, providing a built-in level of control and security that made these devices much safer than your standard IoT product. To help open the market further, reduce costs, and encourage the spread of safer devices, Apple is now transitioning to software authentication rather than a strict hardware requirement. This transition will allow Apple to review the code in question and determine if it meets their standards.

Apple additionally mandates that the vendor obtains certification from either the Wi-Fi Alliance or the Bluetooth SIG — and sometimes both. It all depends on what standard the devices use for communication. This ensures that the device’s wireless transmissions feature the proper security layers to keep the bad guys from messing with your data. Together, these requirements mean that every HomeKit accessory meets a certain strict set of security criteria. The result is better safety and privacy for end users like you — and that makes them a smart buy if you’re purchasing smart home or other connected products this season.

It would be naive to assume that any digital platform features total, unbreakable security, and that includes HomeKit. However, Apple’s exacting standards in this arena are no secret — for a long while, there weren’t many HomeKit approved devices at all, but Apple refused to budge on their standards. While this does mean there are fewer HomeKit-certified device than competing products, Apple’s change in allowing software authentication is helping turn the tide.  Reviewers across the entire industry continue to talk about HomeKit devices as being superior choices when you consider safety, privacy, and security.  So as you are standing in the store, or browsing online, this holiday season, looking for Smart Home devices, the addition of the HomeKit certification sticker may be a factor that you need to consider for yourself and your family!

General tips for safe holiday shopping

Okay, so we’ve discussed some specific concerns that you should keep in mind when shopping for toys, TVs, and we’ve looked at why HomeKit offers a strong alternative to many products. To round out our discussion for today’s episode, let’s pull back and take a broader look at other tips you should keep in mind while shopping this year. It’s important to be smart about your shopping and to make your considerations carefully. After all, even the safest car can still get in an accident — it’s how it holds up during that accident that makes a difference. Here are the general rules of thumb you should use.

First and foremost, stick to trusted and well-known vendors when you’re buying new gadgets. If you pick up a package, look at the brand, and your first thought is “Who?” it’s not necessarily a good sign. While it could be something created by an up and coming new company, or maybe it’s an industry you’re just not familiar with, it could just as easily be some fly-by-night manufacturer who doesn’t care about anything but their bottom line. Well-known brand names, on the other hand, are generally trustworthy enough when it comes to these products. You can also expect these products to receive somewhat regular security updates — usually, at least. With a “nobody” type of company, you’ll be lucky to see even a single patch for the product.

Keep your eyes peeled for shady operators that pump out products with names that sound similar to other well-known products. They do this to confuse consumers like you — not only are these products of lower quality, there’s no way they feature the security they need to keep your information safe. If a company is trying to trick you into associating their product with something else of real quality, it’s a giant red flag that they don’t deserve your business.

Meanwhile, we all want to save some money during the holidays, so it can be tempting to reach into the clearance bin or root around online for cheaper IoT devices. As inviting an idea as that is, stay away from discontinued devices whenever possible. While buying the latest product versions is never an absolute guarantee that you’ll get access to the most recent firmware and security patches, it’s more likely than when you buy an item several versions out of date already. Comparison shop to help find the version you want.

Overall, your goal should be to minimize your “attack surface” however possible. What does that mean? Your attack surface is the total number of potential vulnerabilities a hacker could exploit to gain access to your data. The more devices you attach to your network, the more potential points of weakness you introduce. As you add more and more IoT devices to that network, you increase the number of ways the bad guys can target and potentially exploit your network. When you’re trying to decide whether you really need that Smart TV or that Internet-enabled light bulb, try to keep the concept of your “attack surface” in mind. Opening too many windows into your network means there’s little point in locking the door.

That concept can apply to safe online shopping, too. Before you start shopping, make sure your security software is up to date and that you’ve applied the latest malware definitions. Do a scan before you start, too. A keylogger that’s capturing all your credit information is a one-way ticket to a ruined holiday season. Also, consider sticking to well-known shopping websites.  Much like with devices, shopping on a fly-by-night website could prove disastrous in the long-run!

Speaking of credit cards, stick to just one card for all your online purchases to limit your exposure. Don’t use a debit card when you shop online if you can avoid the need. You often have limited liability thanks to your credit card company when someone steals your card and uses it, but your bank may not be as forgiving with unauthorized debit card purchases – plus you’re out that cash until the dispute is resolved! Want to check out some more in-depth info on how to safely shop online? Head back to check out Episode 12 of The Checklist for an excellent discussion on the subject.

Enjoy the holidays but keep the risks in mind

That’s a lot of information to digest, but we live in a world where every year sees new and varied security risks appearing. When you know what to watch out for and how to stay smart while you’re shopping this year, avoiding the pitfalls doesn’t have to be a difficult job. Whether you take a closer look at set-top devices instead of the latest Smart TV or you choose a more traditional toy over a web-connected device, there are still tons of ways to make sure your holidays are full of smiles.

That’s all for Episode 64 of The Checklist. As always, we welcome your questions, comments, and even ideas for topics you’d like to see us hit — just send us an email at Checklist@SecureMac.com. Want to check out the show notes for some of the past episodes we mentioned today? Check out the Checklist archive right here.

Join our mailing list for the latest security news and deals