Smart devices provide tremendous benefits, but each one is a gateway to your personal information. ASU researchers provide tips for protecting your safety and privacy.
Banner illustration by Changwha Kyung
By Pete Zrioka
Aug. 20, 2019
They order more paper towels for you and set a timer with just a phrase. They let you know who’s at the door before you open it. They dutifully track your steps and measure the quality of your sleep. They dim the lights, bring up the music and, most critically, they always know who that actor is.
The smart devices that comprise the internet of things — voice-activated assistants, doorbells, lightbulbs and thermostats, among countless others — promise a convenient, connected lifestyle for consumers. But that convenience and connectivity may come at the cost of security and privacy.
This compromise is complicated because the line distinguishing online and offline used to be much clearer, posits Nadya Bliss, director of the Global Security Initiative (GSI) at Arizona State University. Either you were connected to the internet through a personal computer, or you weren’t.
“Now your phone is connected and your refrigerator is connected, and your TV is connected and your DVR is connected, and your Barbie is connected,” says Bliss. “Your toothbrush may be connected! You can do amazing things with that increased connectivity, but it also presents opportunities for abuse.”
Think of each smart, internet-connected device as a gateway to your personal information. The more gateways you have, the more vulnerable your information.
So how can you enjoy the benefits of the internet of things while safeguarding your personal information and ensuring your privacy?
Software company Symantec estimated that attacks on IoT devices grew by 600% from 2016 to 2017. Moreover, researchers predict that there will be more than 20 billion connected devices by 2020.
1. Establish your comfort level
Smart devices collect data in one form or another, whether it’s your shopping history or what time you turn your lights on. This data is useful and profitable to companies, but it may not be data you’re willing to volunteer. Jamie Winterton, GSI’s director of strategy, advises everyone to figure out what’s important to them individually first.
“What are you comfortable sharing? What are you not comfortable sharing? There are people who are fine sharing everything. And there are people who don’t want to share anything at all,” says Winterton. “So, figuring out what really concerns you is the first step.”
Fortunately, most companies offer their users ways to customize what they share, but they don’t always make it easy.
“There’s a lot of privacy settings, but you have to get into the menus and dig around to find out where they are,” says Winterton.
2. Shop selectively
Research brands and individual devices with your comfort level in mind. Winterton does not own many internet of things devices. She simply doesn’t think the potential benefits outweigh security and privacy concerns. But she understands that’s not the case for everyone.
“There are a lot of internet-connected devices that would provide a lot of capability to people with different abilities or different circumstances,” she says, using the example of Amazon Key, a smart lock that allows a homeowner to unlock their door remotely for deliveries, maintenance workers or the like.
“It doesn’t give me any value add. But for someone with a lot of pain management problems, that could be a real game changer. Is there a risk? Sure. Is it worth it for me? No. It is for someone else? It might be,” Winterton says.
3. Understand what your devices do
Your voice-controlled personal assistant can identify what song is playing, automatically reorder laundry detergent and give you news and weather updates as you start your morning routine. But what are the underlying mechanisms that make these conveniences possible? Furthermore, do these align with your comfort level?
Winterton asks herself a few questions when considering the benefits of a given smart device.
“Is it listening to me? Is it learning about my daily habits? Is it watching where I go? Is it sharing that info with other people?” asks Winterton.
Users should check if microphones are enabled, if there are behavioral trackers active and whether or not location services are utilized. Most importantly, look for any settings or information pertaining to how the data is shared.
“They may be in a totally different menus, but that’s what to look for,” she says. “How comfortable are you with that?”
4. Secure your home network
When naming your Wi-Fi network, don’t choose anything that could identify you or your home, such as your street address or family name. A useful tool in a hacker’s arsenal is old-fashioned social engineering — so naming your Wi-Fi network “Smith Family Wifi” or “123 W Palm Lane” is a great way to tip criminals off to who you are or where you live.
Sticking with the same name your modem came with isn’t good for security, either. This informs a hacker of the make and model of your device and any known vulnerabilities associated with it.
Second, choose strong passwords for your network. While it’s easy to remember your anniversary or your dog’s name, this is also information easily gleaned from social media. Instead, consider using a password manager to auto-generate and store strong passwords.
Winterton advises consumers to extend strong password practice to their internet-connected devices, as well.
“Many devices come with default passwords, so changing that right away is good practice,” she says. All it takes is one bad actor to post known default passwords online for someone to hijack your devices.
Finally, if your home router allows, create a second network for your smart devices. Doing so will separate your smart devices from your personal devices, such as home computers, phones and tablets. If one of your smart devices is compromised, it can’t serve as a gateway to sensitive information stored on your personal devices.
5. Configure your devices
Do your internet-enabled devices even need to be connected? What is the value of that connectivity?
“I’m definitely on the ‘turn things off’ side of things,” says Bliss, who owns a number of internet of things devices.
Despite her washer and dryer being equipped with internet connectivity, she has chosen to forego that function. Sure, the dryer has sensors for dampness, but that’s something Bliss would rather just check on her own.
“I manually go in and find where things have connectivity that is unnecessary for either function, capability or security, and assess it and usually turn it off,” she adds.
6. Stay up on updates
In addition to overall connectivity, consider security updates. Cybersecurity is a never-ending battle against hackers probing for vulnerabilities and exploits. As a result, companies continually roll out security updates to protect users, but can be slow to do so.
Some of the largest companies in internet of things devices, such as Amazon, automatically update internet-connected devices. That might run afoul of an established comfort level, however. Bliss manually checks for security updates to control what’s pushed to her system.
Regardless of where you stand, it’s best practice to routinely check for firmware updates from each of your device manufacturers.
7. Follow the money
When evaluating a product or service, Bliss looks at the incentive structures at play. She points to Facebook, a company that doesn’t charge for its services. Instead, they monetize user information.
On the other hand, the high price of Apple devices, from phones and laptops to smart watches, indicates they’re monetizing the actual product and not the information gleaned from users.
“I need to feel like there’s a corporate incentive to protect my privacy,” says Bliss. “Whether I’m right or not, I’ve at least done a surface assessment of how the company operates and makes money.”
“Technology is amazing and has tremendous opportunities to make the world safer and better and easier and to make sure we feel connected to other humans in the world,” says Bliss. “When it comes to connectivity, it’s not ‘don’t do it,’ but ‘do it in an informed way.’”
Connecting disciplines for a connected world
A self-proclaimed technologist, Bliss genuinely finds joy in the development of new technology and capabilities. But the conversation shouldn’t end with “Oh, this is cool.” Equally important is “why do I need this and what purpose does it serve?” she says.
GSI is exploring the balance between increased connectivity and personal security and privacy. By connecting computer scientists with transdisciplinary partners in the humanities, the initiative is raising questions about the impact of new technologies on individual and community life.
“Not everybody should have to be a cybersecurity expert to have privacy. We have to find a way for people to have that control without being a technical expert, and that’s a big, interdisciplinary project,” says Winterton. “That’s not just technical. It’s psychological and sociological.”