Monday, 9 December 2019

CyberSafe Alert 2019 Edition 10

What will Santa’s little hackers bring you for Christmas?

‘Twas the day after Christmas when all through the house, Not a creature was stirring, not even a mouse...

But the hackers were watching, and listening, and stealing, because of all the brand new internet connected gadgets, toys, and appliances that had been bought for Christmas presents.

In this edition of the CyberSafe alert we’ll talk about something that not many people stop and think about amid the excitement of the Christmas holidays, and that’s how much you’re exposing yourself to cyberattacks through the presents you buy for yourself and your loved ones.

There are too many ways you can suffer a cyber attack to cover in a CyberSafe alert, so I’ll focus on some of the main ones. If you want to find even more ways to protect yourself online this Christmas you can always read the Cybersafe book.


Don’t get your data pocket picked while shopping

During this silly shopping season, millions of us are shopping online to fill our loved ones gift sacks. But did you know that at the same time, you are filling the online retailers' sacks full of interesting tidbits of data about you and your spending habits?

Let me tell you a little bit about how they may be collecting data on you. As well as the usual data collected from you when you make a purchase on their sites, some retailers are also using tools that can track your browsing histories to see what pages you are visiting. If you visited their competitor, they know about it. This is not necessarily illegal, but how is it possible? Well. millions of people around the world opt-in to (at least so they think) anonymously share their web browsing history. This can be done with seemingly innocent things like browser extensions you’ve installed that note in their terms of service (read the small print) that they may share user data with third-parties.

At this point, you may be asking yourself: So, what’s the big deal? Isn’t this how all cookie tracking works? Well, yes and no.

Some tools that retailers use can show third-parties all the URL's a user has visited, and some of those URLs can lead to non-password-protected pages a regular user browsing the internet wouldn’t be able to find.  These could be things like order confirmation pages, private PDF attachments, and other pages intended for that specific user’s eyes that sometimes aren’t protected by a login screen, but instead, are “blocked” by a set of “tokens” or a series of characters that would be difficult to guess.

The use of these tools has already lead to the unintentional sharing of sensitive data, including:
  • Home and business surveillance videos hosted on Nest or other security platforms
  • Information on recently purchased vehicles, including the vehicle identification number, and the name and address of the buyer
  • Sensitive documents posted on Microsoft OneDrive and other cloud-based business platforms, like tax returns, business documents, billing invoices, and presentation slides
  • Patient names, doctors they visited, and other details surrounding their appointment cloud-based patient care platforms
  • Travel itineraries on Priceline,, and other airline services
Even in cases where the page was password-protected, sometimes the URL and page title gave away enough information to give context into private data. The kinds of protected data exposed included:
  • URLs referencing car dealership subdomains that aren’t reachable by the outside Internet. Sometimes, the URLs or page titles included vehicle identification numbers of specific cars that were experiencing issues—or they discussed vehicle products or features that had not yet been made public
  • Internal URLs for pharmaceutical companies like Amgen, Merck, Pfizer, and Roche; health providers AthenaHealth and Epic Systems;  security companies like FireEye, Symantec, Palo Alto Networks, and Trend Micro
  • URLs for JIRA, a project management service provided by Atlassian, that showed Blue Origin (Jeff Bezos’ aerospace manufacturer and sub-orbital spaceflight services company), discussing a competitor and the failure of speed sensors, calibration equipment, and manifolds

Advice for SMEs

Many companies (one hopes) make an effort to keep their website hacker-free, but the examples above demonstrate a big loophole that may have been previously unknown. So as a small business, here are some things you can do to protect yourself and your customers:
  • Make sure that you are password-protecting any pages that contain any information that you don’t want accessible by the public. This includes order confirmations, attachments, or anything else not intended for general visitors to find. 
  • If you have password protected pages, ensure that URL path and page titles are just as secure. Even if a link expires after a certain amount of time, it can still leave private data vulnerable.
  • Take a look at your website pixels, employee browser extensions, or anything else that could result in unwanted data sharing.

It’s Child's Play

Now that you’ve navigated the jungle of e-commerce and bought your little angel a brand new toy, you should also be aware of the cyber risks that can come with it. If you’ve gone the analogue route, you’re in the clear - woohoo. If you haven’t, and your child's toy can connect to the internet (you’d be surprised at how many can!) then you should take a few precautions to protect you and your child. 
Now some security experts say the only way to prevent a hack is to not keep the toy. We say bah humbug, it’s Christmas and you don’t want to be scrooge so if you decide to let your kids unwrap play with it, here are some ways to reduce the risks:

Research, research, research

Before opening a toy (and if you’re buying it yourself, then before you buy the toy), search for it online and read reviews to see if there are any complaints or past security problems. If there have been previous issues, you may want to rethink keeping it.

Reputable companies will explain how information is collected from the toy or device, how that data is stored, and who has access to it. Usually that type of information is found on the company’s website under its privacy policy. If you can’t find it, call the company. If there isn’t a policy, that’s a red flag. My advice would be not to use it. You should also be aware that companies can change their privacy policies, so read them again if you’re notified of a change.

Use secure Wi-Fi

Make sure the Wi-Fi the toy will be connected to is secure and has a hard-to-guess password. if the toy itself allows you to create a password, do it. Don’t settle for the default password as not only can they be easy to guess, but there are plenty of sites like this one - - in the public domain that will have details of the default password.

Power it off

When the toy is not being used, shut it off or unplug it so it stops collecting data. If the toy has a camera, face it toward a wall or cover it with a piece of tape when it’s not being used. Toys with microphones can be thrown in a chest or drawer where it’s harder to hear conversations.

Register, but don’t give away info

With some toys, you may be asked to register so you can receive software or firmware updates over the web. You absolutely should do this, as a software update may fix security flaws that have been discovered. But, when you do register, keep the information you supply to the bare minimum required. If the registration requires personal information you’d rather not give, such as your child’s birthday, make one up. You’re not under oath!

Be vigilant

If the toy allows kids to chat with other people playing with the same toy or game, explain to your child that they shouldn’t give out personal information.

Reputable companies that make toys with microphones will offer ways for parents to review and delete stored information. Make sure you take advantage of that.

Report breaches

If a toy was compromised by a hacker, the FBI recommends reporting it online through its internet crime complaint center at You can also use this site to check on any breaches with your particular toy.


Something for the Grown ups

It’s not just the kids that need to be wary though. After all, Christmas is for adults as well, and after a few egg nogs too many, you may be feeling a bit frisky. The kids have been put to bed (or maybe you don’t have kids to worry about), and it’s time for the adults to unwrap their presents. Well, the adult industry is never one to be left behind, and they're now playing catchup in the cyber/Internet of Things space as well. Once upon a time, you could rely on your favourite sex toy to be a discreet, standalone pleasure to be enjoyed solely in the privacy of your own home. With the coming stampede of internet connected intimate adult accessories, that privacy is being challenged. Because adult toy manufacturers are coming in relatively late to the online arena, most sex tech devices and associated software are awful from a privacy, and often security, perspective. They collect too much sensitive data, such as who you’re having sex with, and aren’t doing enough to protect it. Lots of them don’t even use basic security to encrypt communications.

One adult toymaker recently had to pay a settlement of £3 million, to its customers, after it was revealed the company’s connected vibrator collected sensitive user data, including when they were used, vibration settings, and more, linking it all to user email addresses.

On the security side, researchers have revealed connected sex toys are easy to hack, making that data collection all the more problematic. But it’s not only hacked or leaked information that is an issue. A larger one is that if the infrastructure is hacked, then attackers could manipulate partner match ups, and someone else might be controlling devices that you and your partner use! And if your connected adult toy also comes with a camera, well I don’t need to go into detail about that scenario...

Are you the watcher or are you being watched?

Once you’ve overdosed on festive food and drink, opened your presents and had your Christmas fun, you’re probably going to want to put your feet up in front of the TV. So here’s the thing. Is it your new Smart TV purchase that you’ve made? Have you connected it to the internet? If so, you may want to take a few precautions before you get too comfortable.

Like anything that connects to the internet, smart TVs are susceptible to the usual online security vulnerabilities, including hackers. Similar to the adult toys mentioned earlier, because smart TVs are a relatively new concept, manufacturers have not caught up with the levels of digital security as devices such as computers for example. This security flaw could potentially give hackers a gateway into your home. For example, a hacker may not be able to access your (if you’ve been following the advice in Cybersafe) securely locked down computer, but they may be able to find a backdoor through to your router through your unsecured smart TV.  Infact there have been documented examples of hackers gaining access to Google Chromecast sticks and streaming random content to unsuspecting viewers. Other jolly japes a hacker might indulge in on your smart TV include cranking the volume up and down, knocking your TV off the Wi-Fi network, quickly changing channels, or forcing your TV to play questionable YouTube content.

While hackers are potentially an issue, hacking smart TVs still takes a bit of know-how and is illegal so that dissuades most casual hackers. What is arguably a bigger issue is the perfectly legal (so far) tracking of your data collected by smart TV manufacturers. Smart TVs use a technology known as automated content recognition (ACR) to constantly track what you are watching and then relaying it back to the manufacturer and/or its business partners.

ACR helps the TV recommend other shows you might enjoy watching but can also be used to target your families with advertising. The data can also be combined with other aspects of your personal information to help build profiles on your behavior that are sold to other marketers. If you read the Cybersafe alert on doxxing, you’ll recognise this as one of the ways doxxers can get hold of your data.

So what are some ways that you can improve the digital security around your smart TV? Well, options include placing black tape over an unused smart TV camera, and following the usual advice in Cybersafe, which is to keep your smart TV up-to-date with the latest patches and fixes, and to read the privacy policy to better understand what your smart TV is capable of.

While it may be inconvenient for most users, and possibly negate the main reason for buying a smart TV, the most secure smart TV is one that isn’t connected to the internet at all.

I hope this Cybersafe alert hasn’t ruined your Christmas and has instead (as intended) made it a (digitally) safe and secure one instead for you and your loved ones.

Following the advice in CyberSafe should go a long way to keeping you safe online. As we like to say at the CyberSafe alert - Don’t Be Scared; Be Prepared.

Don’t forget to share this important information with someone you care about.

Are you new to the cybersafe alert? If so you’ve missed out on some great information to keep you and your family and business safe online. Here’s what you have missed so far this year:

    Edition 1 - Are your toys spying on you?
    Edition 2 - The unhackable password
    Edition 3 - Is It Safe To Hit 'Send' Now?
    Edition 4 - WhatsApp Hacked!? Here's What To Do About It
    Edition 5 - Is the new “Sign in with Apple” button a game changer?
    Edition 6 - Why your personal calls are not personal anymore
    Edition 7 - Has your wallet been hacked?
    Edition 8 - Your personal data may have been breached - Take action now!
    Edition 9 - Have you been Doxxed? What it is and how do you avoid it?
    Want a regular briefing about the newest Cyber threats? Subscribe to the Cybersafe Alert now!

    If you can't wait for the next CyberSafe Alert to tell you how to protect yourself online, get CyberSafe the book. It's packed with the useful information and strategies you need to keep yourself, your family, and your business safe online.

    Every effort has been made to ensure that the content provided in this post is accurate and helpful for our readers. However, this is not an exhaustive treatment of the subjects. No liability is assumed for losses or damages due to the information provided. You are responsible for your own choices, actions, and results.

    No comments:

    Post a comment