Want to buy a 'smart' hair brush? Read this first

Cybersecurity experts say many of the internet-connected products increasingly turning up on store shelves are insecure, giving malicious hackers new ways of attacking consumers – and the entire internet.

Your new fridge might include a virtual assistant that tells you it's time to buy milk. Maybe you could adjust your next mattress with an iPhone. That replacement brush may even offer hair care advice?

Everyday objects are getting smarter. Whether for the sake of convenience or for the wow factor, gadgets and appliances that connect to the internet and smartphone apps will soon fill big box retailers and neighborhood convenience stores alike. If you feel like you need a $160 toothbrush that connects to a smartphone app to critique your brushing habits, that's a real thing you can buy.

But before you rush out to snag a pair of internet-connected jeans, or anything else, you might want to heed the advice of pretty much the entire cybersecurity community when it comes to the so-called Internet of Things (IoT).

“A lot of these devices – well, actually, most of these devices – are inherently insecure,” says Liviu Arsene, a senior e-threat analyst at the cybersecurity firm Bitdefender.

“An attacker, a bad guy, or a hacker can use the vulnerability within that IoT device, whether it’s a smart fridge or smart toaster, and gain control of your entire network,” Mr. Arsene says, including laptops or mobile devices. “Anything from your online shopping activities, your credit card information, or your locally stored family photos can be potentially exposed or breached.”

Indeed, security researchers have discovered many flaws in IoT devices. For instance, they've uncovered security vulnerabilities in Sony’s internet-connected cameras and Wi-Fi enabled dolls that let digital stalkers spy on users. And at pretty much every cybersecurity conference these days, hackers make breaking into IoT products a spectator sport.

Not all of these vulnerabilities can be exploited right away — it takes time for hackers to focus their attention on a new IoT device. But experts say these problems can be hard to resolve after they’re discovered, especially since many people may not update software in their home security camera or connected mattress, assuming manufacturers even release patches.

These insecure products aren't just problems for consumers, either. A distributed denial of service, or DDoS, attack that leveraged an estimated 100,000 flawed connected devices hit the internet infrastructure firm Dyn in October, taking down Twitter, Spotify, and many other popular sites. 

Malware called Mirai, designed to take control of IoT devices, made the botnet that attacked Dyn possible. Compromising those devices is often trivial  — many use insecure connections, fail to encrypt communications, and ship with default login credentials like “username” and “password.” 

Because of the lack of strong security measures, malicious hackers are increasingly attempting to take advantage of connected things. “Across our own network we’ve seen an increase in IoT vulnerability scans by over 3,000 percent over the last three years,” says Katie Curtin, AT&T’s lead product marketing manager for IoT cybersecurity solutions.

So how can the risk of using connected devices and the desire to join the IoT revolution be resolved? “That’s the golden question,” Ms. Curtin says. “I’d say first and foremost being aware of security in general is the first step.”

Consumers should educate themselves about the problems with IoT devices and learn how to mitigate them, says Curtin. Businesses also have to do the same thing, she says, while also finding ways to secure the networks and other infrastructure on which the IoT relies.

Arsene and Curtin say there are some things IoT enthusiasts can do to safeguard their smart products. 

They recommend keeping connected products on a different Wi-Fi network than the one used by computers, phones, and other devices so a compromised hair brush won’t allow someone to access sensitive data stored elsewhere. Consumers should also change the device’s usernames and passwords to make it harder for someone to commandeer them by using the default settings.

The IoT-curious might also want to check a manufacturer’s website to see if it has a history of releasing security updates for their products, Arsene says.

More technically savvy consumers might even take advantage of security features in their routers and other networking devices to ensure IoT devices aren’t doing anything out of the ordinary, he says. “There’s no limit to how much paranoia you can feed into your home network.”