The New Oil

The New Oil logo
Guides About Links Support
Cybersecurity: The Internet of Things

The Internet of Things

If you’re reading this, you may have some kind of smart device in your possession. Maybe it’s a smart TV, thermostat, doorbell, or speaker. Once upon a time, I would’ve said that you should simply avoid these devices. However I think that we’re moving into an age where that advice is antiquated. It’s becoming harder and harder to escape the “Internet of Things,” so this section will provide some overall advice on basic privacy and security for IoT devices.

Avoidance

Having said that, I still encourage everyone to pass on these devices if you can. None of us really needs any of the modern “creature comforts” to survive, and that includes things like HVAC, cars, sodas, and video games - all things I happily make generous use of. Therefore I’m not going to be the hypocritical curmudgeonly old man decrying kids these days and their newfangled gadgets. Still, it is important that we realize that each one of these devices we bring into our lives puts our privacy and security at risk. The smart TV you purchase not only reports invasive network information, but these devices also offer attackers a way into your home with their microphones and cameras. Believe it or not, an attacker could even use a light bulb to access all the other devices on the network.

Old Man Yells At Cloud meme

Is it worth the risk? Do you really need to know the second a package arrives at your doorstep? (I argue that you should be using a PO Box anyways). Do you really need a fridge that tells you the milk has gone bad? These answers vary from person to person. I can live just fine without TV, so a smart TV is definitely something I don’t need. Someone else may be a film buff and may find a lot of value in a high-quality TV that can stream from dozens of services easily. There are no wrong answers here, but I do encourage you to first ask yourself if the value a smart device brings you is worth the privacy invasion and security risk that comes with it.

If You Must

If you decide that a smart device is for you there’s several key pieces of conventional wisdom that will help to dramatically increase your privacy and security while using said devices.

  • Make sure to change all default passwords and login information. Most devices come with a default username and password that can be discovered for free online by looking up the manual. Criminals can use this information to access the administrator privileges of those devices and abuse the device or access the rest of your network. (This is especially true of routers.)
  • Go through every setting on your device and make sure that you have disabled all settings that share data and analytics. (On TVs in particular, beware “Automatic Content Recognition.”)
  • Make sure to do your research and buy devices that get updated by the manufacturer regularly. Set your devices are to auto-update if the option exists. If there is no auto-update option, set a reminder to periodically check for updates and install them when they become available.
  • Buy a router that supports “VLANs,” which are virtual segmented networks. Putting two devices on separate VLANs makes the devices act and think as if they are in completely separate networks. If one gets compromised, the other is safe. Ideally you’ll want to have all your IoT devices on one VLAN, then all your main devices (phones, laptops, etc) on another. IoT devices requiring network connectivity (such as smart TVs) can still be given network access.
  • Make sure to couple all this advice with other advice on this site, such using an alias email to set up your accounts and using strong passwords.

I strongly recommend using Mozilla’s “*Privacy Not Included” as a starting point to research various popular IoT devices and offerings. I personally disagree with some of their conclusions but it will at least provide a starting point for some products to outright ignore and offer alternatives to research.

Vehicles

Modern vehicles are a privacy nightmare. They collect far more data than necessary, then sell it to a variety of buyers (including insurance companies), and none of them are transparent about these practices. To make matters worse, there is very little owners can do to control this data or its sale.

One common suggestion is to buy older cars that don’t come with modems or connectivity. This may be a good solution for people who are mechanically inclined, but for the rest of us it’s already getting hard to source even simple, inexpensive parts for such older cars and it will only get harder and more expensive as time goes on.

In some cases you may be able to get the modem removed by the dealership or through a skilled mechanic, but your success with this may vary. Doing so may also void warranties or have other knock-on effects.

At this time, the best solution available to the average person is to submit opt-out requests to your vehicle’s manufacturer and hope that they respect it. The two best resources I currently know of for this are Privacy4Cars and Vehicle Privacy Report. If you have the time, I would also write your politicians about this situation and demand better privacy laws that will force companies to be transparent and offer simple, meaningful data controls.

Previous
Next