Before putting internet-connected toys, gadgets or gaming consoles under the tree this holiday season, cybersecurity firm ESET is encouraging people to take precautions that limit the risk of cyber attacks.
Cyber attacks on toys, you ask? Weaponised teddy bears? Yes, they are possible. ESET senior research fellow Nick FitzGerald explains:
“This year, Christmas gifts will be connected more than ever before, often requiring always-on connections to servers and our personal information. Whilst IoT devices make great gifts, with recent attacks such as Mirai, which enslaved more than an estimated two million IoT devices, it is important for consumers to understand the real risks involved, and how to protect their privacy and personal data.”
Toys are becoming high-tech, including everything from Bluetooth to app integration with a mobile device. The downside is, do you know what data those toys collect? If they collect GPS data, attackers could potentially pinpoint the location of children.
This year a number of toys across Europe including the Furby Connect, CloudPets and the i-Que Intelligent Robot had numerous security failures.
At a conference in The Netherlands, an 11-year-old used a Raspberry Pi to hack a smart teddy bear and used it to record a message from the audience.
“Ensure you know what data is being transmitted, whether there are parental controls in place and how services handle the data in secure and privacy-respecting ways. Sadly, there are already several examples of ‘smart toys’ that miserably fail on these criteria,” ESET says.
“Whenever an appliance is described as being ‘smart’, it’s vulnerable,” with the same caution applying to ‘connected’ devices,” says F-Secure CEO Mikko Hyppönen.
If you are considering purchasing a ‘smart’ or ‘connected’ toy or device for any of the children on your shopping list, ESET recommend that you use your favourite search engine and run four searches:
· Toy name security vulnerability
· Toy brand name security vulnerability
· Toy brand name privacy breach
· Toy brand name data leak
Reconsider purchasing a ‘smart’ toy known to have had vulnerabilities, or one from a brand – especially if it is a new or little-known one – that has had other items with vulnerabilities, or privacy or data breaches.
Most gaming consoles like the Sony PlayStation or Xbox have some kind of connection to the internet these days, especially as gaming developers offer purchases for certain games and online battlefields.
However, they do come with risks. The accounts you use to access content include personal details and stored payment details such as credit card information.
The 2011 Sony PlayStation hack exposed details of 77 million gamers. The leaked information included names, credit card numbers, passwords, security questions and dates of birth.
“Gamers can protect their payment information by purchasing a pre-paid account top-up card from a newsagent or supermarket, instead of using a credit card, or use a prepaid credit card and maintain only a small balance on it. Parents should enable parental controls to restrict purchases and actions to protect younger children,” ESET says.
Whether you’re a fan of Amazon’s Alexa or Google’s home assistants, those assistants can be cheap and useful, but can also invade your privacy.
“These devices have always-on microphones that listen for specific catchphrases to activate. There have already been reports of hackers finding ways to take control of these devices, effectively turning them into wiretaps, potentially exposing your most private conversations,” ESET explains.
“Protecting against such attacks is difficult, especially since these devices are designed to be on, and listening, 24/7. Users can manually mute their home assistant when not in use and review the permissions settings on the manufactures website. Avoid using home assistants to access services that may contain sensitive data, such as banking details, and erase old recordings if possible.”
But most of all, stay smart and safe when buying gifts online. Sure, you may be able to skip the queues in store, but it still comes with risks.
“When you are ordering gifts online, check to see if ‘https’ is included in front of the web address or that a padlock symbol is displayed by the site’s address in the browser to ensure your details are encrypted during checkout,” ESET says.
“Also, consider using a credit card instead of a debit card as you may find it easier to get your money back from a credit card if you are scammed with bogus charges.”
“Finally, for any card that has a PIN associated with it, you may want to change your PIN if you have been using the same one for a long time.”