Sunday 17 Jul 2016 @ 09:17
Information Commissioner's Office
Printable version

Public must act to protect themselves when using Internet of Things devices

Blog posted by: Simon Rice, Group Manager for Technology, July 15, 2016.

Is this creepy website live-streaming YOUR living room? That was the Daily Mail headline in 2014, highlighting a Russian website that was providing links to access internet-connected cameras around the world.

The story was prompted by an ICO blog that had warned that the website had been able to access webcams, CCTV and baby monitor cameras because they had not been made sufficiently secure.

But two years later we are still seeing the same mistakes, with people not keeping their devices secure, and manufacturers not incorporating adequate security into products.

This means Internet of Things products such as baby monitors, music systems and photo or document storage, which can be accessed online, are at risk of revealing your personal details to other people.

A lack of security when it comes to IoT devices could mean that a search engine is used by criminals to locate vulnerable devices and then gain access to them or others on your home network. An attacker could then use your equipment to mount attacks on others or take your personal data to commit identity fraud.

We’re continuing to work with manufacturers about what they can do, but individuals need to play their part too. The public must act to protect themselves and their families when using these devices. If they don’t they could find their personal files easily accessible by popular search engines, casual browsing or more determined attackers. If you wouldn’t leave your house unlocked then make sure your digital home is equally secure.

People using IoT devices should consider the following:

1. Research the security of a product before buying

Good research before buying a connected device will allow you to recognise the ones with poor security implementations. You should also look to see how a product will be updated in the future if a security issue is identified. As an example, some smartphones have never, and will never, receive security fixes.

If consumers reject the products that won’t protect them, the developers should get the message quicker.

2. Is your router secure?

This will be your first line of defence on the perimeter of your home network. If you’ve installed a device in your home and connected it to your network, the default settings of your router might be exposing it to the internet and therefore everyone else connected to the internet.

This is necessary if you want to access that device from outside of your home but whilst some devices require some form of password protection, others either do not or they use a default (and potentially discoverable) password. Where no protection is in place, your personal files could suddenly become available on popular search engines.

3. Change passwords and usernames from default

The default password protection will only guard against casual observers. Default credentials for many devices are freely available on the internet and can be located with ease. You should always change passwords from the defaults and choose a suitably strong password.  You should also use a different password for each account and device. This might sound complicated but if you are using a smartphone app to access the device this might be able to keep you logged in, meaning you don’t have to enter it each time.

4. Known security vulnerabilities

Check the manufacturers’ website to see if there have been any updates which address known security vulnerabilities and install updates in a timely manner. This includes your router. But be warned, updating the firmware of an IoT device can overwrite the data or settings so check the manual and make sure you have a backup.

5. Take your time

Don’t just plug your device in and skip as much of the set-up process as you can. Take time to read the manual and familiarise yourself with the security and privacy options available to you.

6. If there’s a two-step identification option – use it

Two-step authentication offers you an additional layer of security when logging in to an online service.

Whilst few devices will offer this service, the website you use to view the data might. It often works by asking you an additional security question, or by sending a code to your mobile phone or email account that you must enter during the login process. Sometimes you can have a separate device which generates these codes.

Using two-step or two-factor authentication means that if your username and password are compromised, a criminal cannot gain access to your account data without also compromising your mobile phone or code generator. Therefore if you have this option turned on, your information has a much greater chance of remaining secure.

 

Channel website: https://ico.org.uk/

Share this article

Latest News from
Information Commissioner's Office

ICO publishes guidance to improve transparency in health and social care

16/04/2024 09:10:00

The Information Commissioner’s Office (ICO) is supporting health and social care organisations to ensure they are being transparent with people about how their personal information is being used.

Information Commissioner’s Office seeks views on accuracy of generative AI models

12/04/2024 12:25:00

The Information Commissioner’s Office (ICO) has launched the latest instalment in its consultation series examining how data protection law applies to the development and use of generative AI.

ICO joins global data protection and privacy enforcement programme

04/04/2024 15:20:00

The Information Commissioner’s Office (ICO) has signed onto a new international multilateral agreement with the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) to cooperate in cross-border data protection and privacy enforcement.

ICO sets out priorities to protect children's privacy online

04/04/2024 09:10:00

The Information Commissioner’s Office (ICO) is calling on social media and video-sharing platforms to improve their data protection practices so children are safer when using their services. 

ICO publishes new fining guidance

19/03/2024 09:10:00

The Information Commissioner’s Office has published new data protection fining guidance setting out how it decides to issue penalties and calculate fines.

ICO reprimands Dover Harbour Board and Kent Police over information sharing

18/03/2024 10:20:00

The Information Commissioner’s Office (ICO) has issued reprimands to Dover Harbour Board and Kent Police after they breached data protection law.

ICO reprimands London Mayor's Office for Policing and Crime for complaint web form error

15/03/2024 14:10:00

The London Mayor’s Office was yesterday reprimanded by the Information Commissioner’s Office (ICO) for a web glitch that potentially revealed the personal information of people who were complaining about the Metropolitan Police Service.

ICO fines Wigan-based Pinnacle Life £80,000 for “predatory” spam call campaign

07/03/2024 12:25:00

Wigan-based company Pinnacle Life has been fined £80,000 by the Information Commissioner’s Office (ICO) for a year-long unlawful spam phone call campaign.

ICO launches “consent or pay” call for views and updates on cookie compliance work

06/03/2024 15:05:00

As part of our cookie compliance work, I committed to providing the online advertising industry with clarity on ways in which it can use advertising cookies in compliance with data protection law.