The giant Consumer Electronics Show (CES) held earlier this year featured the usual cavalcade of dazzling digital gizmos to tantalize the hearts and minds of tech enthusiasts everywhere. As usual, several categories of gadgets dominated the show, such as the Internet of Things IOT), biometrics, voice-enabled assistants, and cryptocurrency.
However, there is something these devices have in common other than their ability to capture imaginations and dollars. They all continue to struggle with security issues and challenges that may be running ahead of the enthusiasm these gadgets are generating. That can be a risky and dangerous thing.
So in lieu of Data Privacy Day. we’ll examine security considerations buyers and users need to mull over when looking at the latest digital technologies.
IoT
The tremendous presence of various IoT devices throughout the show floor was testament enough to the lofty predictions in the growth of these Internet-connected devices for home and business. Reliable estimates show that nearly 9 billion devices are already in use, growing by nearly 30% per year. However, a recent survey revealed a host of potentially troubling security trends around their broad-scale usage.
The central problem is that almost all these devices, manufactured in the Far East for the most, arrive with factory preset passwords that are ultra easy to crack. Users are advised to change them, but in reality, very few do so. In the Keeper study above, only 8% of millennials who buy IoT devices use a password manager to protect them. In that same survey, more nearly 22% of respondents that own these devices have abandoned them because their owners forgot their passwords! This would not have happened had these users deployed any number of free password management solutions available to individual users.
“Hackers and cyber-thieves usually follow the path of least resistance to break in,” says Darren Guccione, co-founder and CEO of Keeper Security. “Our data in this survey clearly shows an ongoing lack of attention to detail and good password hygiene as it relates to IoT devices. Hackers know that, and consumers need to be aware that they know.”
Biometrics
Activity at CES also testified to the surge in interest in biometrics for data security purposes. In fact, biometrics (eye scans, fingerprint scans, etc.) can be a very effective element of a Multi-Factor Authentication (MFA) solution. However, there is a troubling aspect to this growing enthusiasm, namely a sense that biometrics will soon replace passwords, rendering them obsolete. This notion is as false as it is dangerous.
The simple truth is that biometrics alone cannot secure digital data in our current day-and-age. For example, when a fingerprint is used to unlock an iPhone, the user’s password is ‘unlocked’ and still used to open the phone for use. So while the fingerprint technique is convenient, it still does not secure or unlock the phone on its own. And if the underlying password is a weak one, the device is still extremely vulnerable to attack.
Also if a hacker discovers a weak password such as “123456”, the attacker can then log into the compromised device and establish a new fingerprint – theirs! The only way around this vulnerability is to set up stronger passwords.
Voice-enabled Assistants
Getting all those IoT devices to do what you want them to do requires a different user interface. Voice activation is emerging as the favorite, particularly for devices where a screen isn’t an option or the operator is occupied with tasks such as driving a car.
The quality of speech recognition is now so advanced that it has effectively reached parity with humans. About 20 million homes already have a voice-activated assistant, and the Consumer Technology Association estimates that another 4.4 million units were sold during the holiday season.
Amazon and Google vied for the spotlight at CES, with Amazon using shock and awe to highlight its huge list of third-party partners for its Echo technology, while Google leveraged the large installed base of Android devices and its partnerships with automotive and consumer electronics companies to drive home the message that it intends to embed its Assistant technology everywhere.
Despite fears that voice-activated devices could be used to listen in on conversations, there have been few reports of such attacks. One reason is that most devices are not directly accessible from the internet. Rather, they’re controlled by a secure tunnel to backend servers. Although the recent BlueBorne vulnerability showed that it’s possible for an attacker to compromise a device using Bluetooth, that bug was quickly patched and no others have been reported.
That doesn’t mean you should assume you’re home scot-free, though. For one thing, many voice recognition systems don’t distinguish one voice from another very well, a fact that’s been proven by some notable pranks. A voice from the TV, radio, phone answering device, or even the next apartment may be accepted as a command. Assistants are also increasingly tied into smart home networks that control things like lighting temperature and door locks. Think twice before connecting an assistant to your home security system.
There are also been numerous cases of children placing orders through the devices without meaning to. This is more matters inconvenience than damage, but be careful about turning on the automatic ordering option, lest a $500 video game shows up later on your doorstep.
Cryptocurrency
This topic was the subject of a day of CES sessions about digital payments, bitcoin, and blockchain. While not the subject of much product activity at this point, cryptocurrency has been a major news topic since the price of Bitcoin took off in the fall.
There have been numerous reports of Bitcoin hacks that have caused coin owners to lose their investments. However, blaming the currency for the losses isn’t really fair. Bitcoin’s built-in encryption is commercial grade, made stronger by a digital signature algorithm that verifies the authenticity of the sender. When losses occur, it’s usually due to user error.
The two most common ways to store bitcoin are in an online digital currency exchange like Coinbase or in a private wallet like Electrum. Both are subject to the same vulnerabilities as any bank or stock trading service; there are protected by passwords. Most digital exchanges use Two-Factor Authentication (2FA) and lock down accounts after a few failed access attempts. Private wallets may be protected by nothing more than a password.
An attacker who hijacks an email account may be able to send a password reset request to a digital exchange, but even that process is subject to 2FA. Wallets are less secure because the choice of password is up to the user. A forgotten password can lock someone out of their bitcoin trove permanently, as The Wall Street Journal recently reported.
Because bitcoin is peer-to-peer by design, there’s little you can do if your account is compromised. Unlike banks or credit card companies, there is no intermediary to complain to. That means you should pay special attention to writing down passwords and storing them offline, along with private encryption keys and “seeds,” which are sequences of random English words that can be used as a backdoor into a locked account.
Protect Your Privacy Today with Keeper
Data Privacy Day is an opportunity for all of us to take a good hard look at how we engage with the internet and evaluate the measures we take to safeguard our data. Don’t have Keeper? Start protecting your privacy with our free trial today.