Episode 21: Smart Devices Require A Smart Approach
How the "Internet of Things" Might be Making You Less Secure
Photo by John Tekeridis from Pexels
Technology has the power and the promise to make our lives easier, richer, and more manageable. Devices like those in the Amazon Echo family, the Google Home family, and the Siri family - to name just a few - can use our voices to play music, watch videos or TV, add items to our shopping lists, or to even ask general questions for the internet to provide with answers. It’s pretty futuristic stuff. When paired with other devices like smart thermostats, smart doorbells, smart blinds, smart door locks, and smart security cameras, much of our home life can now be programmed, automated, and leveraged in some remarkable ways. For people living with physical disabilities, smart home automation can be a game-changer. For those with children running around the home and needing an extra set of hands, the same.
In our rush to automate our lives, we often forget that every device can be hacked. This requires us to educate ourselves and think before bringing additional technology into our homes and businesses. Most of us forget to take this step, but - as recent headlines prove - we shouldn’t…
Ring, a company now owned by Amazon, makes smart doorbells and smart security cameras for consumers to place in their homes. Once connected to your WiFi network, these devices allow you to talk through them from anywhere in your home or from anywhere on the planet where you can connect to the internet. The potential upsides are pretty great.
Unfortunately, the company has a poor track record when it comes to security. Worse, these track records aren’t always clear to consumers. That might be why a couple in Northern Mississippi decided to install one of the company’s devices in their daughter’s room. Their daughter suffers from seizures and her parents thought that having the devices would be a reliable, extra security measure to be there for their child in the event of an emergency.
However, the family discovered that a man hacked into their Ring camera. Worse, when they dug through their video archive they found the audio of the man talking to their daughter, using racial slurs. This article written about their experiences in the Washington Post and the accompanying video is, generally, one of the creepiest things I’ve seen in a while. So know that before clicking the link.
Ring is no stranger to controversy. #Hardly:
In November in 2019, the company got flagged because their doorbells were broadcasting their owners’ WiFi network passwords in unencrypted cleartext. Translation: anyone who knows even just the basics of hacking could capture your home network password as they are broadcast in a format that offers zero protection.
In January of 2019, news broke of how Ring had been allowing employees to share unencrypted customer videos with each other. Wait, what? You read correctly: Ring apparently “gave various teams access to unencrypted customer video files on company servers and live feeds from some customer cameras, regardless of whether that access was necessary.” Worse, the company had been doing this since 2016.
In May of 2018, it was revealed that, once installed, the Ring app will continue having access to the Ring Doorbell to which its paired… even if that doorbell’s password has been changed. This security hole has allowed ex-husbands, wives, and partners to not only spy on one another but also harass them at all hours of the night.
Have these security holes and lax security practices been fixed? Yes. Have a few, notable publications begun recommending that consumers avoid Ring devices? Most definitely. Is Ring the only company with security holes and breaches on their hands? No. Every company has issues with its smart devices including Google, Apple, and Amazon.
By the way, I should also mention the growing partnership between Ring and local police forces around the US to create localized surveillance networks. Ted Cook, the police chief in Mountain Brook, Alabama was quoted in this article saying that his department thinks of Ring’s technology and Neighborhood app “as trying to create a digital neighborhood watch."
Maybe you think that’s creepy and maybe you not. But I sure do. That stuff’s creepy as hell, so thank you: but no. I’m not a buyer.
So what’s a consumer to do?! For me, the obvious answer begins with going analog. Somehow - miraculously!! - I’ve gotten along just fine for decades without a smart doorbell, a smart voice assistant, a smart thermostat or a smart security camera. If I decide to upgrade my lifestyle, I always rely on the same four questions to help guide me when considering the purchase of new technology:
What specific problem(s) will purchasing this piece of technology solve? For example, will it save me money or time? Will it enable or empower me to do things I couldn’t do previously in a safe and private way? Put simply: is this device something that you need?
What privacy or security concerns will I face if I bring this device into my home or business? Does it record and store my voice and the voices of my friends, family or colleagues? What information, if any, will the company that manufactures the device collect when I use it? Does the manufacturing company, by default, have access to my device? If so, can I shut that access off?
What can happen if the device is hacked? If we assume that all devices can be hacked - and we should - then how can strangers or potential enemies use this device to collect data about me, harass me, or monitor me?
What simple measures can I take when setting up this device to ensure that it provides the maximum level of security? Can I, for example, buy a device that’s already made with security and privacy in mind? If multiple companies make a voice-activated music streaming device or a smart doorbell, does one company have a better track record of privacy and security than their competition?
Sometimes, answering these questions makes clear that the device I want - say, an Watch - isn’t a device that I actually need or that solves any problems. So I don’t buy it. Alternately, sometimes the answers to these questions lead me to purchase a smart device - say, an Echo Dot - that brings more joy, automation, and music to my home… after I’ve locked the device down.
In the end, answering these questions forces me to make smarter, more informed choices. Often, it leads me to purchase well-reviewed items from companies with excellent track records on personal security and privacy. That’s how we arrived at the baby monitor we purchased: it’s one of the few that doesn’t broadcast its signal over the internet.
Once you’ve determined that you truly need a new piece of “smart” technology in your home, you’ll need to set it up smartly and with your security and privacy in mind. Here are some additional and required steps to utilize for your set up process. Please note: these steps might not be explained or included in your manuals, so take note and save this information. We are always responsible for our own security, privacy, and safety with our technology.
Create and use a never-before-used email address when you register your device. This ensures that no current, compromised email addresses of yours can be used by a hacker to attempt to log into your device. To accomplish this task, I use a service called 33mail. Here’s how it works. Let’s say your name is “Bobbi Block”. Sign up with 33mail and pick the username "bobbiblock". Now, any email address ending with @bobbiblock.33mail.com will be forwarded to you. The next time you visit a website or register a device that asks for your email address, instead of giving them your real email address, create one based on the name of the service or device. Setting up a Nest home thermostat? Then make things easy by creating and using the email MyNest@bobbiblock.33mail.com.
Create and use a never-before-used password when you register your device. This ensures that no current, compromised passwords of yours can be used by a hacker to attempt to log into your device. To accomplish this task, I use a free, open-source password manager called BitWarden.
Enable two-factor or two-step authentication on Amazon, Google, and Apple accounts. This enables a double layer of protection should a hacker somehow manage to gain access to your email address and password. Enabling two-factor or two-step authentication on key accounts (Amazon, Google, Apple, Facebook, etc.) ensures that would-be hackers would ALSO need access to your phone to gain access to your account. Here’s a guide on how to enable two-factor authentication (or 2FA) on most mainstream accounts. Here’s another from Authy, the system I personally use.
Change the device’s default password. This ensures that any hacker using the known default password for your device will be thwarted. Known default passwords are EASILY FOUND online, so do me a favor and don’t argue with me on this one, young grasshopper. #ChangeThePassword
Create a separate WiFi network for your smart-home gear. This ensures that your main network - the one with your phones, computers, and tablets - will be separated from any smart home devices, better protecting them and you. Most modern routers support multiple networks, so do yourself a huge favor: create two different networks: that means two different WiFi network names, each with their own unique password. Note: never include your name or address in your WiFi network names. That means avoiding names like “Jimmy Dean’s Special Network” or “The Danes Family 134 East Main St., Apartment #4”. You get the drift.
Disable any non-essential services on your new hardware and software and harden (make stronger) any essential services. If you have a device that is always listening or watching, lockdown some of its core functionality:
Power off the device when you’re not using it. If that sounds inconvenient, use an old-fashioned outlet timer. That way, your always-listening device is powered off in the middle of the night, every night. Or when you’re away at work during the day. Or both.
Change the wake word, if possible.
Prevent the parent company from listening to your voice recordings.
Delete any old recordings that may have already been saved previously.
For instructions on how to lock down your Alexa device, use this link.
For instructions on how to lock down your Apple HomePod, use this link.
The Lessons Learned
Technology is a fabulous and amazing part of our everyday life. But convenience in our homes and businesses is not a substitute for thinking smartly about our security and privacy. That responsibility will always fall to us, not to the companies who sell us their products.
Caveat emptor, roughly translated from Latin means "Let the buyer beware". That’s never been more important than in the world of technology. I promise that if you employ the method I’ve outlined here (both asking the questions and implementing the device security preferences), you’ll not only be living in a more automated environment but also one that helps protect your security and privacy more.
And that’s a wrap for today’s episode, everyone. Thank you again, for reading and for being a subscriber. Let me know your thoughts in the comments section.
And remember: if you’d like me to write about a topic, drop me a line on our still-open discussion thread at this link.
As always… surf safe.
Click here for my guide on how to choose a privacy-focused VPN.
If you’re looking to set up a VERY secure iPhone, click here.
For a super cool way to NOT give your personal email address to everyone, click here.
Click here for a crash course on how to keep your devices updated.