Modern field guide to security and privacy

Want to buy a 'smart' hair brush? Read this first

Cybersecurity experts say many of the internet-connected products increasingly turning up on store shelves are insecure, giving malicious hackers new ways of attacking consumers – and the entire internet.

John Locher/AP
Hair Coach smart hairbrushes were on display at the Withings booth during CES Unveiled before CES International in January in Las Vegas. The brush uses sensors to track hair damage and will, via a smartphone app, offer recommendations and advice on hair care.

Your new fridge might include a virtual assistant that tells you it's time to buy milk. Maybe you could adjust your next mattress with an iPhone. That replacement brush may even offer hair care advice?

Everyday objects are getting smarter. Whether for the sake of convenience or for the wow factor, gadgets and appliances that connect to the internet and smartphone apps will soon fill big box retailers and neighborhood convenience stores alike. If you feel like you need a $160 toothbrush that connects to a smartphone app to critique your brushing habits, that's a real thing you can buy.

But before you rush out to snag a pair of internet-connected jeans, or anything else, you might want to heed the advice of pretty much the entire cybersecurity community when it comes to the so-called Internet of Things (IoT).

“A lot of these devices – well, actually, most of these devices – are inherently insecure,” says Liviu Arsene, a senior e-threat analyst at the cybersecurity firm Bitdefender.

“An attacker, a bad guy, or a hacker can use the vulnerability within that IoT device, whether it’s a smart fridge or smart toaster, and gain control of your entire network,” Mr. Arsene says, including laptops or mobile devices. “Anything from your online shopping activities, your credit card information, or your locally stored family photos can be potentially exposed or breached.”

Indeed, security researchers have discovered many flaws in IoT devices. For instance, they've uncovered security vulnerabilities in Sony’s internet-connected cameras and Wi-Fi enabled dolls that let digital stalkers spy on users. And at pretty much every cybersecurity conference these days, hackers make breaking into IoT products a spectator sport.

Not all of these vulnerabilities can be exploited right away — it takes time for hackers to focus their attention on a new IoT device. But experts say these problems can be hard to resolve after they’re discovered, especially since many people may not update software in their home security camera or connected mattress, assuming manufacturers even release patches.

These insecure products aren't just problems for consumers, either. A distributed denial of service, or DDoS, attack that leveraged an estimated 100,000 flawed connected devices hit the internet infrastructure firm Dyn in October, taking down Twitter, Spotify, and many other popular sites. 

Malware called Mirai, designed to take control of IoT devices, made the botnet that attacked Dyn possible. Compromising those devices is often trivial  — many use insecure connections, fail to encrypt communications, and ship with default login credentials like “username” and “password.” 

Because of the lack of strong security measures, malicious hackers are increasingly attempting to take advantage of connected things. “Across our own network we’ve seen an increase in IoT vulnerability scans by over 3,000 percent over the last three years,” says Katie Curtin, AT&T’s lead product marketing manager for IoT cybersecurity solutions.

So how can the risk of using connected devices and the desire to join the IoT revolution be resolved? “That’s the golden question,” Ms. Curtin says. “I’d say first and foremost being aware of security in general is the first step.”

Consumers should educate themselves about the problems with IoT devices and learn how to mitigate them, says Curtin. Businesses also have to do the same thing, she says, while also finding ways to secure the networks and other infrastructure on which the IoT relies.

Arsene and Curtin say there are some things IoT enthusiasts can do to safeguard their smart products. 

They recommend keeping connected products on a different Wi-Fi network than the one used by computers, phones, and other devices so a compromised hair brush won’t allow someone to access sensitive data stored elsewhere. Consumers should also change the device’s usernames and passwords to make it harder for someone to commandeer them by using the default settings.

The IoT-curious might also want to check a manufacturer’s website to see if it has a history of releasing security updates for their products, Arsene says.

More technically savvy consumers might even take advantage of security features in their routers and other networking devices to ensure IoT devices aren’t doing anything out of the ordinary, he says. “There’s no limit to how much paranoia you can feed into your home network.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.