The Christmas period is a good time for hacks in companies, with the end-of-year holidays, there is indeed less staff, and therefore less reactivity. But it would be simplistic to see only this aspect.
Hell has a gift-wrapping
In recent years, connected objects of all kinds have become fashionable: speakers, watches, scales, vacuum cleaners, and this year's fashionable object, connected cameras. All these gadgets can be very useful and have very nice features, but they are also the perfect access to your home for a pirate. Unfortunately, these devices are very often "light" in terms of embedded security. One might think that this is not too annoying, but from a compromised device, it may eventually be possible to infect an entire network to extract data for example.
There was a similar case with a "Ring" camera marketed by Amazon (more info here) a few days ago. The hacker, once the camera was compromised, was able to observe the children's room and get in touch with it. An isolated case? I'd like to say it is, but no. I can't count the number of articles I've read about these compromised devices .
The points of attention
The purpose of this article is obviously not to frighten everyone, but to remind you of a few simple safety rules.
- Think of your connected device as a computer, this means to make updates from the manufacturer when possible for example, including security updates.
- If your device has a login/password, don't leave the default one, change it for a complex password (16 characters minimum with upper case + lower case + special characters, you can use a password generator and/or a password manager for example).
- Concerning passwords, adopt as much as possible the policy one software/site = one password. In case of compromise, this reduces the impact of the compromise even more.
- Only connect your device to the internet if it is necessary. If software does not need the Internet, do not risk exposing it or allowing it to access the world unnecessarily.
- Avoid obscure brands, especially low-cost Chinese ones, which not only do not guarantee you adequate security but also have a high chance of sending your data to China, a country known for its privacy.
The user, the guarantor of his own security
As always, the user is the last bulwark of his own safety. Many of these devices will access your phone, for example, with their dedicated applications. It's up to you to choose which permissions you want to activate or not.
As an example, I have myself an Alexa connected speakerphone, although it is connected to my phone, a necessary step for its connection, it does not have access to my contacts, even if the application requested it. Moreover, once its configuration phase is over, I removed the bluetooth pairing. The idea being always the same, allow only what is necessary for what I'm going to use from the object. It's not because an application needs to access your contacts for a specific feature that you should let it, especially if you don't need the feature.
As always, in security, it's a cat and mouse game. Just because something is reliable today doesn't mean it will be tomorrow. A zero day flaw (not exploited so far) can always be discovered, hence the importance of doing the updates properly for example, and respect the few rules I have indicated above.
Anyway, happy end of year party to all, and enjoy the many gadgets that you will see blooming around you, but above all take advantage of this moment to spend time with your family and friends.