Blog: Consumer Advice

Don’t get burnt on pay day. How to buy IoT gadgets sensibly

Ken Munro 29 Mar 2017

As it’s the end of the month, and pay day for many, I thought some timely advice would be helpful for people itching to spend their money on IoT gadgets.

It’s not all bad. While many manufacturers happily continue to fill shelves with dross, we know plenty of responsible companies whose products and devices are strong and secure in normal use.

So, this is what you should do when thinking about buying that smart device.

Research, research, research

Using a search engine, enter the name of the toy or gadget that you’ve set your heart on, and add the word “hacked”, “hack”, “security”, or “vulnerability”.

If there’s a known issue your search results should reveal it.

Try before you buy, with the App

Go to the App Store or Play Store and download the app to your phone. You don’t have to already have bought the device for this exercise by the way. If you do buy it you’re going to need the app anyway.

Go to the ‘”login” or “create account” section. create account’ or ‘login’ section. What we’re looking for here is evidence that they’ve taken care over password options.

When creating this test account use a temporary or throwaway email address, and then try to set weak passwords, such as “password”, “PassWord”, “PassWord1”. Usually we’d expect these to be rejected for being too weak. If they’re accepted  it demonstrates that the manufacturer really doesn’t care about security.

Get a copy of the manual

Any half decent manufacturer will have the manual available on their website. Rummage around to find advice and instructions for connecting to the device for the first time.

If the device uses Wi-Fi, what is the connection process? Do you need to press a button on the gadget, or is the Wi-fi wide open without needing a password, or can it be accessed from any phone using the same password? These are bad signs.

If it’s Bluetooth do you have to press a button on the gadget to put it in pairing mode, or can just anyone connect to it? Having to press a button or similar before anyone can connect for the first time is a good thing. It means that you are in charge of whether someone else can connect to your gadget or not.

Is the manufacturer taking care?

Does the manufacturer even mention security on their website? Do they use language like “bank grade encryption”, or even “military grade encryption”? How about the use of jargon like AES-256? In the great scheme of things these are meaningless.

A responsible manufacturer will at least tell you that they’ve had their security independently reviewed, and might share the processes they adhere to, to keep your data safe.

Another good signal is if they have a bug bounty programme, which encourages hackers/researchers to find and report flaws. Search online for “bug bounty” and the name of the product or the manufacturer. One big name in the bug bounty world is Bugcrowd, click through to their site to check.

Consider the cost, if the tracking watch (for example) you are buying is less the £200, there is likely to very little money available for security testing, which may mean issues exist. Cheaper devices are rarely secure.

Use a strong password

Weak passwords often lead to the easiest ways to hack an IoT gadget.

See if you can create a really weak password, such as a single character, that’s a massive red flag. Or try 123456 (the most common password). Remember Password1 complies with most corporate complexity requirements.

You should set a complicated, UNIQUE, and strong password, one that you’ve not used anywhere else. There are free password managers designed to make your life easier. Use one on all your devices, they will make your life more secure.

Also, check if the app allows two step verification or two factor authentication either through a one-time SMS code sent to your phone or through an authentication app. If there is the choice go for the app it is more secure.

Updates. Will your product get any?

Does your device support security fixes and patches?

Review the instructions to see how yours gets updated. Ensure your phone is configured to allow the app to check for updates, then apply them as soon as you get the alert. Also, always update your mobile app and check to see if there are any patches for the gadget as well.

Note that updates are sometimes ‘pushed’ from the phone app to the IoT gadget, whereas some manufacturers choose to deliver updates pushed ‘over the air’ direct to the IoT gadget.

Reviews and Amazon

Take reviews with a pinch of salt. Which? Magazine recently did some research on Amazon reviews and found many reviews are simply fake or paid for endorsements. They offer some excellent advice on spotting this on the link above, you can also use fakespot.com to automatically analyse reviews on certain sites and provide an adjusted rating.

However, reading the reviews and questions can tell you a lot about the company and the device. Look for comments about how easy it is to set up or not and how the company responded. It can be an indicator of issues in the device if it is hard to set up or many people reporting problems setting it up and the company is hard to get hold of.

On Amazon, search for the device name or type but not manufacturer, you may also find many  other companies sell the exact same product under a different name. This is often an indication of cheap clones, the issues found in one clone are usually found in others, they are just rebranded.

Conclusion

By following these simple steps you’ll quickly get an understanding of whether the people who made the IoT gadget of your dreams know anything about security.

As with life, don’t spend your hard earned money on people who don’t care.