The glitch that stole Christmas: How to handle smart tech gifts By Prof Alan Woodward

Department of Computing, University of Surrey Published duration 22 December 2017

image copyright Getty Images

Although the rush to connect everything from toys to toothbrushes, cars to sex toys, and any number of household appliances to the internet, seems inexorable, there is little regulation protecting your cyber-security.

Not surprising then that there has been a raft of stories this year highlighting the vulnerabilities that are coming to light.

Now, with Christmas upon us, it's highly likely that you've considered buying a connected device, or maybe Santa will leave one for you under the tree.

But with no one else to rely upon to regulate the security of your new device, what should you do to protect you and yours?

The most important question you should ask is why the item needs to be connected to anything other than, possibly, a power source.

image copyright Getty Images image caption Your personal details could make a tasty target for hackers

If it's a gimmick, or even if it's a feature you think looks really "cool", ask yourself seriously if it's worth the risk.

Look at the data the device gathers, what it shares - voluntarily and if hacked - and weigh that against what the connectivity is doing for you.

Managing your risk is all you can hope for this Christmas, as nothing is ever absolutely secure, but some degree of connectivity is useful.

If it's not vital to the operation of the device think about disabling the connectivity.

If it does what it is supposed to without collecting and reporting data then disconnect it. Even then you might consider whether the device is gathering information that you would rather was not kept: see if you can erase the data or if there is some setting that prevents it being collected in the first place.

The moment you see words such as "smart" or "connected" you need to move on to the second question: is there any known problem with the item.

If the security community has found a problem you should be able to find it quickly by searching online. Look for words such as security "vulnerability", "exploit" or "flaw" in connection with the device's name.

image copyright Getty Images image caption Consumer group Which? has raised concerns that some connected toys can be hacked to let attackers spy on or even communicate with their owners

And don't forget to search for "data breach" in relation to the company that might hold data you and yours are being asked to provide.

Research about cyber-security of a device and its associated services is the best defence but as things currently stand you need to go and find it. Don't assume anyone will proactively send a recall notice or security notification.

If after Christmas you are the proud owner of a connected, smart device then learn how to update the firmware.

Any good vendor will have provided a means by which you can upload the latest embedded software, just like you do on your PC. However, again typically you need to be proactive as few of these devices are updated automatically by the manufacturer.

If the device has the facility to automatically update then make sure you enable it.

If there is no way to maintain the firmware in the device, then it tells you a great deal about the approach of the manufacturer to security.

It's inevitable that flaws will be found but if the manufacturer has no means of updating the device it makes little difference, even assuming the manufacturer was inclined to fix the problem.

image copyright Getty Images image caption Checking regularly for updates can help keep attackers locked out

Although you might not want to ask if the person kind enough to give you the gift has kept the receipt, any device that you cannot update should be treated with caution - ie don't trust it with anything sensitive.

And if you're the one buying the device do your homework first. It's not always easy but the manufacturers' websites, especially their support section - assuming one exists - will usually tell you what is possible.

If you are willing to take the risk with the device, and it then requires you to provide personal data - for example to use an associated app - be very circumspect.

Don't use your real personal data - give an alternative persona. Unless it's a financial transaction there is no reason why you need give accurate information about yourself.

However, if you are joining in some form of online community - often the case with connected toys - remember that others probably are not as they appear either.

Of course, this is about balancing risk again. If you have some form of smart assistant and it doesn't know who you really are, it's not going to be nearly as useful as it would be otherwise.

Plus, in your rush to use your new device do the one thing none of us is ever really inclined to do: read the terms and conditions. Some online services reserve the right to withdraw access if you give false information.

Troubled toy

media caption Rory Cellan-Jones sees how Cayla, a talking child's doll, can be hacked to say any number of offensive things.

My Friend Cayla has found itself in the unfortunate position of being the plastic face of connected toy controversy.

At the start of 2015, UK security firm Pen Test Partners showed the BBC that the device's software could be hacked, allowing an attacker to make the doll swear at its owner.

The Vivid Toy Group, which distributed the machine, played down the threat and promised its app would be updated.

But at the end of 2016, US consumer groups claimed the data the toy gathered about the children who played with it amounted to "surveillance".

In February 2017, a telecoms watchdog in Germany, a country with strict privacy laws, urged local parents to destroy any units they owned and banned further sales.

And then, earlier this month, a French data regulator accused the toy's manufacturer of a "serious breach of privacy" due to a flaw said to allow people close by to connect via Bluetooth devices, potentially allowing them to "listen and record" conversations heard by the doll.

Although Cayla is still listed on the websites of many leading UK High Street and online retailers, most appeared to list it as out-of-stock at the time of writing.

At the risk of having dampened the Christmas spirit, there is some good cheer on the horizon for the new year.

image copyright Getty Images image caption New data privacy laws are on their way, but it's usually better to avoid getting into a mess than having to clear it up afterwards

Many are lobbying hard for the EU to expedite the regulation of the security of Internet of Things (IoT) devices, and there is already an agreed position on the standard to which these devices should be held.

Although these regulations might not be in effect for next Christmas, 2018 does see the arrival of the EU's General Data Protection Regulation (GDPR), which will give you the right to have your data deleted by third parties.