The holiday shopping blitz is right around the corner. There are so many awesome Internet of Things (IoT) gizmos and gadgets and toys you could buy for yourself or your loved ones – a little BB-8 droid you can control via Bluetooth and send rolling around the house! A fitness tracker that records (and shares!) your stress levels! One of those Nest thermostats that learns and adapts to how toasty you like your house! A wearable pain relief cuff that zaps your ankle to send neural pulses to make your brain close its pain sensory gates!
What could possibly go wrong with internet-enabling those and a gazillion other gizmos?
Well, the developers could have fallen asleep at the wheel when it comes to encrypting communications, implementing automatic security updates, requiring strong passwords, having a decent vulnerability management system, or sharing your data with third parties.
Or, say, they may have a written privacy policy that’s as transparent as figgy pudding. They also may have neglected to give users a way to delete their data and account.
Well, this year, Mozilla has done us all a solid and created a guide to help you buy safe, secure products this holiday season, having taken a look at all those factors.
It’s called Privacy Not Included. Bear in mind that this doesn’t comprise deep-dives into vulnerabilities, so you really do need to research a given product more thoroughly to get an idea of how its makers treat privacy and security.
What the guide does do: list whether or not a given gadget got basic privacy/security right. Mozilla included an emoji slider where users can record their emotional reaction to a given item, too, though as we’ve already noted, the scale doesn’t cover the full spectrum of how the IoT should make us all feel:
Not this? pic.twitter.com/AKoGO1TszY
— Anna Brading (@annabrading) November 16, 2018
Mozilla slapped a “Meets Minimum Security Standards” badge on the IoT gadgets on its list that passed at least some muster.
The good news: Out of 70 evaluated products, 31 of them got the seal of approval.
The awesome news: those included such popular ones as Nintendo Switch, PlayStation 4, Apple’s iPad and HomePod, WyzeCam, the kids’ edition of Amazon Fire HD, Amazon’s Echo and Dot Alexa gadgets, Google Home, and Roku streaming players.
This isn’t to say that some gadgets that meet minimal security requirements aren’t also creepy. For example, do you really love the idea of a smart speaker that’s always listening? Keep in mind that for the second time, a judge has ordered Amazon to hand over Alexa recordings.
Besides having your IoT data subpoenaed by a court, here are just a few of the other things that could happen if you bring IoT gadgets into your life:
Nest could “learn” that you like a really, really chilly house. The Nest Learning Thermostat learns all about how warm and cool you like your house. Its makers say that if you use it for a week, it will start adapting to your personal temperature preferences. It comes with an app that lets you control the temperature in your home from anywhere and sends alerts when things don’t look quite right. The makers: It can save you energy and money!
Or it could plunge you into a freezing cold January without heat, as happened in 2016 due to a software bug, threatening to cause users’ water pipes to burst.
The problems that Mozilla found: Nest doesn’t require users to change a default password; nor does it have parental controls.
A pain relief cuff could do quite the opposite. The Quell 2.0 Wearable Pain Relief cuff straps onto your ankle and zaps your nerves to send neural pulses into your brain, close to the brain’s pain center. It sounds like a great alternative to opioid addiction, Mozilla points out, and it’s sure better than being in pain. You can control the frequency and intensity of the zaps, via an app on your phone. Sounds great, but do keep in mind what can go wrong, Mozilla says:
Just don’t let anyone else get a hold of your phone. Zzzaapp!
You’d want something like that to have good security controls, but Mozilla found that it ships with a default password that you evidently aren’t required to change. It also shares your information with third parties, for inexplicable reasons.
Beware the cuff if you don’t want to get zapped by jerks, Mozilla suggests:
Some mean person could learn when you are doing pain therapy, hack the app, and zap you in unexpected ways.
Hackers could burn your dinner. Restaurants are pricey, and home cooking takes time. How about this instead: you pop your food into a plastic bag, put it into a pot of water, plop in the Anova Precision Cooker Sous Vide gadget, and then go relax on the couch. Or hey, get the Bluetooth + Wi-Fi version and go relax on another continent – which, as Mozilla notes, will be “super handy once teleportation is invented!”
Problems: It doesn’t encrypt its data. Its privacy policy is hard to read. Also, it shares your information with third parties.
Mozilla also couldn’t figure out if it carries out automatic security updates. No Mozilla minimum security requirements badge for YOU! Malicious dinner-ruining hackers could “hack your Wi-Fi, crank up the cooking temperature on your sous vide, and over-cook your steak.”
Another thing that’s so not rare: IoT security lapses
Unfortunately, just as the everything-connected future becomes ever more real, we see more and more of the myriad security issues that all these computer-enabled devices usher in, be they in fridges, baby monitors, TVs, kettles, cars or light bulbs.
The most recent news was that of MiSafes smartwatches for kids, which security researchers found are vulnerable to “the simplest hack we have ever seen.”
There is good news, though: Mozilla found that at least some of these shiny trinkets meet minimum security requirements. That’s a start, and we owe a huge shout-out to Mozilla for putting out this helpful guide just in time for the holiday shopping bonanza.
So, if you’re just starting your Christmas shopping, go check out Mozilla’s buying guide.
Bryan
You know we’re accustomed to a low-set bar when 31 of 70 passing is good news…