The Security Ledger

Check it Twice: Consumers Warned of Privacy, Security Pitfalls in Connected Gifts

Consumers should be wary of privacy and security issues affecting Internet-connected products according to the Online Trust Alliance.

In-brief: More than 50 million connected devices will be purchased this holiday season, according to the Online Trust Alliance. But consumers should be wary of privacy and security issues affecting Internet-connected products, the group said.

Internet connected devices are all the rage this holiday season, as consumers scoop up Hello Barbies, wearable health monitors and smart home hubs like Amazon’s Echo. But a leading industry group said that consumers should read the small print carefully, and be prepared to return gifts that fail to take security and privacy protections seriously.

The Online Trust Alliance on Wednesday released a checklist for smart devices that it said will help protect the security and privacy of consumers who buy connected devices or receive them as gifts during the holiday season. Consumers who fail to follow the steps recommended by the group are “potentially putting their personal and family data at risk,” the OTA said in a statement.

Security flaws and lax data privacy practices have been frequently observed.  Most recently, for example, research by the firm ABI revealed that the Nest Cam by Alphabet does not power down when users turn it “off” using an associated mobile application. In a separate study, by researchers at German and French universities found that three-quarters of embedded systems that sport web interfaces contain serious security vulnerabilities.

[Read more Security Ledger coverage of the Internet of Things.]

On Wednesday, experts urged consumers to use caution when purchasing technology that sports a ‘always on’ Internet connection or that seek to collect data from consumers.

“The best deals or coolest features aren’t the only things to look for when buying connected devices,” said Susan Grant, Director of Consumer Protection and Privacy at Consumer Federation of America in a statement released by the OTA. “It’s also important to consider privacy and security, and this checklist will help consumers make well-informed decisions in choosing and using these devices.”

The group estimates more than 50 million Internet connected devices will be sold during the holiday shopping season this year, OTA said. It advises consumers to make sure they can return devices that, upon setup, lack “security and/or privacy practices” that meet the consumer’s “personal requirements.” Consumers should be able to opt out of sharing data with third parties or ‘opt in’ to data sharing.

To prevent hacking or remote compromise of connected products, OTA on Wednesday issued a smart and connected devices security and privacy checklist. The list instructs consumers to pay close attention to features for updating the device’s software. Connected devices should support updates and patches sent directly from the manufacturer – ideally with an “automatic” update feature that does not require users to download and apply patches.

On privacy, the group said consumers should review the privacy practices of connected devices they own or are considering buying to understand the data collection and sharing policies of those devices.

The security firm Bluebox says the mobile applications used with Hello Barbie contain security flaws that could lead to the theft of passwords and other information.

The Online Trust Alliance represents large technology and retail firms in the U.S. including Microsoft, Symantec, Target, home security firm ADT and TRUSTe. The group has made protecting privacy on the Internet of Things a key issue, releasing draft Internet of Things Trust Framework in August and a checklist for securing smart homes in October.

The OTA’s warnings echo that of the U.S. Federal Trade Commission, which issued a report in January warning of privacy risks in connected devices and calling on manufacturers to make security and privacy a priority.

Spread the word!