Internet of Things (IoT) devices are a gift that give us tremendous power over our lives. They are an array of gadgets and systems created by companies large and small, with divergent ideas and standards of security and privacy. They entertain us, sustain us, and surround us – whether a smartwatch on a wrist, or a device in a heart. Since the holiday season is a time when IoT devices become “top of mind,” it seems a good time as any to take stock of the all the devices – from those that may be presents, to those that have an influential “presence” on our digital and physical lives. Let’s take a look at some common IoT device red flags, and the prudent evaluation criteria that everyone should undertake so as not to fall victim to gadget gotchas.
Quality over Quantity Quandary
They say imitation is the highest form of flattery. Unfortunately, when it comes to “gadgets” imitation often is the lowest form of quality. From security cameras, to smart assistants and even smartwatches, brand name success breeds low cost commodity. In the race to capture the impulse buying public, off brand devices claim equivalent functionality and benefits, but rarely can they claim safety and support. Convenience and accessibility prevent many from pondering, who is this company really, was security a design priority and where does all the data go?
So this brings us to the first red flag to examine. What are we actually getting when we fork over our cash? Apart from potentially cheap materials, who built the product? Researching the company can tell you a lot. How long have they been around? Is the company well established and viable? Is there adequate support for issues, including compromise? Santa’s Elves aren’t subject to deep regulatory scrutiny. You know who else often is not, overseas companies. They can flood online sellers, and even if you’re not the target of a nation state, you can be a random target left out in the open.
Which brings flag number two. We know which countries are commonly called out for suspect technology, but even if you recognize the company name, do they suffer from issues in the “usual suspects” category? Do the products come with a default password, and more importantly, can it be easily changed? Is the software on the device updated frequently, maybe even automatically? If so, how frequently are you notified of updates and how easy is the process? Even deeper, how much control and visibility do you have into what the update comprises? Finally, are communications to/from the device encrypted? Is it end-to-end? How strong? This is the table stakes of product security, and if the red flags are flying, the next policy you examine should be the return policy.
Products of convenience and electronic connection are certainly the most recognized category of personal IoT, but in an increasingly connected world, we need to recognize the devices that quite literally physically connect us to the internet. This includes devices focused on digital health and patient care, from pacemakers to health tracking/monitors.
We can start this discussion where we left our last. Is the “heart” of the product design in the right place? Is it solely there to help you and your physician, or is there a third party interested in the beats of your life. Is device data, even if anonymized, shared with vendors for the purposes of research and trend analysis? Some device vendors partner with hospitals and healthcare organizations collaborate around your health data. The intent for the vast majority is to improve your care, the care of others, and even better prepare us for new and emerging health concerns. But in this category, you really need to understand the potential gap between intention and execution – from how the data is handled, processed and consumed, to how it’s secured throughout. Additionally, one important failsafe question – can you opt out?
The second flag, to steal an infamous line from the movie Marathon Man, is “Is it Safe?” For a product whose potential failure falls in the category of existential risk, is the product a “pace” setter? We’ve seen multiple cases where medical devices have been subject to recall, and even multiple, expanded recalls, to address security vulnerabilities. So, your questions should be what authoritative or regulatory certifications does the device hold? Are devices the subject of current or past actions, and what is the process for device oversight, maintenance and updates?
Finally, this is less of a flag and more of a potential “smart” move. Are we too connected or too smart for our own good, and can device ignorance be security bliss? When looking at options, are non-smart options a viable second choice? Could they even be more reliable/predictable if not just more private and secure?