The New Oil

The New Oil logo
Cybersecurity: The Internet of Things

The Internet of Things

If you’re reading this, you may have some kind of smart device in your possession. Maybe it’s a smart TV or an Alexa or a Nest Thermostat. Once upon a time, I would’ve said that you should simply avoid these devices, however I think that we’re moving into an age where that advice is antiquated. It’s becoming harder and harder to escape the “Internet of Things,” so this section will provide some overall advice on basic privacy and security for IoT devices.

Avoidance

Having said that, I still encourage everyone to pass on these devices if you can. None of us really needs any of the modern “creature comforts” to survive, so I’m not going to be the curmudgeonly old man decrying kids these days and their newfangled gadgets, but it is important that we realize that each one of these devices we bring into our lives puts our privacy and security at risk. The smart TV you purchase not only reports invasive network information, but these devices also offer attackers a way into your home with their microphones and cameras. Believe it or not, an attacker could even use a light bulb to access all the other devices on the network.

Is it worth the risk? Do you really need to know the second a package arrives at your doorstep? (I argue that you should be using a PO Box anyways). Do you really need a fridge that tells you the milk has gone bad? These answers vary from person to person. I can live just fine without TV, so a smart TV is definitely something I don’t need. Someone else may be a film buff and may find a lot of value in a high-quality TV that can stream from dozens of services easily. There are no wrong answers here, but I do encourage you to first ask yourself if the value a smart device brings you is worth the privacy invasion and security risk that comes with it.

If You Must

If you decide that a smart device is for you there’s several key pieces of conventional wisdom that will help to dramatically increase your privacy and security while using said devices.

  • Make sure to change all default passwords and login information. Most devices come with a default username and password that can be discovered for free online by looking up the manual. Criminals can use this information to access the administrator privileges of those devices and abuse the device or access the rest of your network.
  • Go through every setting on your device and make sure that you have disabled all settings that share data and analytics.
  • Make sure to do your research and buy devices that get updated by the manufacturer regularly. Set your devices are to auto-update if the option exists. If there is no auto-update option, set a reminder to periodically check for updates and install them when they become available.
  • Buy a router that supports “VLANs,” which are virtual segmented networks. Putting two devices on separate VLANs makes the devices act and think as if they are in completely separate networks. If one gets compromised the other is safe. Ideally you’ll want to have all your IoT devices on one VLAN, then all your network devices (phones, laptops, etc) on another. IoT devices requiring network connectivity (such as smart TVs) can still be given network access.
  • Make sure to couple all this advice with other advice on this site, such using a forwarding email to set up your accounts and using strong passwords.

I strongly recommend using Mozilla’s “*Privacy Not Included” as a starting point to research various popular IoT devices and offerings. I personally disagree with some of their conclusions but it will at least provide a starting point for some products to outright ignore and offer alternatives to research.

Vehicles

Modern vehicles are a privacy nightmare. They collect far more data than necessary, most of them sell it, few give owners any real choice over this, and none of them are transparent about how the data is secured. There is very little owners can do about this. One common suggestion is to buy older cars that don’t come with “infotainment” centers or other modern luxuries. This may be a good solution for people who are mechanically inclined, but for the rest of us it’s already hard to source even simple, inexpensive parts for such older cars (such as headlight bulbs) and it will only get harder and more expensive as time goes on. In some cases you may be able to get the modem removed by the dealership or through a skilled mechanic, but your success with this may vary (and of course you will lose some online features as a result). At this time, the best solution available to the average person is to submit opt-out requests to your vehicle’s manufacturer and hope that they respect it. The two best resources I currently know of for this are Privacy4Cars and Vehicle Privacy Report. If you have the time, I would also write your politicians about this situation and demand better privacy laws that will force companies to be transparent and offer simple, meaningful data controls.