With Christmas just around the corner many parents are still looking for the perfect gifts for their children. In a season that can see them spend up to £1,000 on tech goods, many of us forget the risks that come with bringing new devices into the home.
As people start waking up to the risks involved with smart technology – including Parliament, which has recently approved the Product Security and Telecommunications Infrastructure Bill – the University of Kent’s Sarah Turner has responded to some of the main questions and concerns about staying cyber-safe this Christmas when buying new technology. Sarah is a computing expert who specialises in how UK families engage with cyber-security when using home Internet of Things (IoT) devices.
What is the internet of things in terms in relation to devices and tech in the home?
The Internet of Things is a catch-all term for any everyday object that can be Internet-connected. You’ll often see them called ‘smart’ devices. So, a smart TV, smart speaker, smart toy, or smart thermostat, for instance.
These devices typically act to make our lives more convenient but are especially good at giving you a more personalised experience; for example, your TV viewing or heating in the home. They do this by collecting, and then processing, lots of data about how you – and anyone else around the devices – use and interact with them. From our research, we found that a lot of parents do not understand the risks of IoT devices, and they don’t consider them to be a threat.
How are families at risk because of this tech?
There are three things that anyone planning to buy a smart device to have in the home needs to consider beforehand:
1) Is everyone in and around the home – adults, children, people who babysit, friends, wider family members – happy with having their data collected? This might be their voice or videos of them. It might allow for other users of the device – or people who have your WiFi password – to track their movements, see what they are watching or buying, for example. You may also need to ensure that your devices do not encroach on the privacy of people outside of your home, like neighbours.
2) Are you confident that you have bought a reputable device? Although there will soon be UK legislation requiring some basic security measures for these devices, at present, this does not exist. This can mean that devices can be sold without having to give any thought to how to make them secure, and therefore how to keep you and your family safe.
3) Do you know for how long the device’s software will be updated? Devices can often be sold with very short periods of supported software updates. When this stops, it means the device will not receive important software updates that will fix software vulnerabilities that can leave you at risk of being the victim of a cyber-attack.
Any specific risks to children?
The major risk to children is that they, too often, get no say in devices being set up, and will not have access to apps that can control the devices, but will all too often have their data taken – with all the potential risks that that can bring. A concerning example from 2019 is that of an 8 year old girl who was spoken to by a stranger pretending to be Santa because of a poorly configured Ring camera in her bedroom.
More generally, these devices are particularly tricky in the home. Often, smart speakers, TVs or games consoles, for example, exist in part to get their users to buy more products – from shopping websites, or to movies or games. This can happen because the person who has the device has provided account information as part of the set-up process – usually including credit card information – and do not realise that purchase features often must be switched off rather than on, which can be quite the expensive learning experience!
What are the top ways in which families can protect themselves?
- Buy a reputable brand and a new device – a lack of regulation and short guaranteed software updates can mean that devices are not necessarily as secure as you might think
- Make sure any passwords provided with the device, or associated technology (such as an app) are changed to a strong and unique password (see the National Cyber Security Centre’s guidance on using three random words).
- Discuss how you are going to use the device as a family (or as people in the house)
- Are you worried about people spending money through the device?
- Are you worried about people accessing inappropriate content through the device?
- Does everyone feel happy about where the device is in the house?
- Is everyone happy about how to turn off the device if needed?
- Does the account holder know how to delete data collected by the device?
Once you’ve had that discussion, spend some time going through the device’s settings and see how you can adjust them to fit everyone’s requirements.
And finally – consider what buying and IoT device as a gift means for the person you’re buying it for, and their household.
Sarah Turner is a Research Student for the School of Computing at the University of Kent. Her research focuses on the way in which UK families engage with cyber security when using home Internet of Things (IoT) devices.
Dr Jason Nurse is a Senior Lecturer (Associate Professor) in Cyber Security in the School of Computing and the Institute of Cyber Security for Society (iCSS) at the University of Kent. His research interests span smart home technologies, security and privacy awareness, and ways to keep people safe online.