You better watch out — some of this year’s high-tech holiday gifts can see you when you’re sleeping, and they know when you’re awake.
Mozilla, the nonprofit behind the Firefox web browser that also advocates for a safe internet, released a privacy report on Monday rating the security of some of this year’s hottest internet-connected devices. It warns that some — particularly drones and smart speakers — can be spying on you and your kids, or exposing your personal information. Those fears have been stoked by horror stories such as the Long Island mother who recently reported that a stranger hacked her Nest home monitoring camera and spoke to her 5-year-old through the speaker.
“We think it’s really important to provide useful information to help people make good, informed decisions when shopping for gifts … and we spent a good chunk of the year collaborating with the Consumer International and the Internet Society to come up with the security standards that we are using,” Ashley Boyd, Mozilla’s vice president of advocacy, told Moneyish.
And it’s a huge, problematic market. The internet of things (IoT) covers the billions of physical devices that are now connected to the internet, collecting and sharing data — such as your smartphone, your fitness tracker or your increasingly-connected home appliances. The $235 billion market as of 2017 is expected to more than double to $520 billion by 2021, according to Bain Company’s market research, which also found the security concerns are one of the biggest barriers to more customers adopting this tech.
The devices making Mozilla’s nice list include gaming systems like the Nintendo Switch, Sony PS4 and Microsoft XBox One; smart speakers like the Google Home and Amazon Echo collection; and the Harry Potter Kano Coding Kit, or a motion-tracking magic wand that teaches kids how to code. But even those carry some caveats. The Switch, the XBox and the Harry Potter wand have privacy policies that can be difficult to understand, and they both share your data with third parties. The smart speakers listen in on your conversations (which, to be fair, is how they operate) and they share what you’re searching or buying with third parties.
So the report suggests that the remaining products on the list that didn’t meet Mozilla’s minimum security standards should give shoppers serious pause, such as the FREDI Baby Monitor, which comes with the weak default password of “123” and doesn’t require users to change it to something stronger. The monitor also doesn’t use encryption to protect your data, and Mozilla researchers could not get a clear answer from the company on whether it shares your information with third parties or if it deletes the data it stores on you. A South Carolina mom also complained earlier this year that someone hacked her FREDI monitor, and was aiming the wireless baby camera monitor to point at her bed, where she often breastfed her infant son. FREDI has yet to respond to the Mozilla report, although someone claiming to represent the seller on Amazon has assured customers concerned about security that, “You set the password by yourself, no one can access to view your videos, it is secure.”
And drones such as the Dobby Pocket Drone, the Parrot Bebop 2 or the DJI Spark Selfie Drone don’t include encryption or require users to change the default password, according to Mozilla’s research. Plus, DJI drones have a history of being hacked (which is why the U.S. Military banned using DJI drones for military purposes last year), because they’re often operated outside using unsecure public wifi. DJI told Wired that there is “no indication that the Spark has ever been hacked, other than intentionally by enthusiasts looking for a performance boost,” and last week it patched a bug that hackers could have used to access user accounts.
Just launched! Our new and improved https://t.co/eZEQ4zTxUh holiday buyer’s guide.
70 connected products across 6 categories and a brand new Creep-0-Meter 😲. We’re here to help you shop safe this holiday season.
— Mozilla (@mozilla) November 14, 2018
Mozilla researchers also couldn’t determine whether smart toys such as the wifi-connected CogniToys Dino (which listens to your kids and answers their questions, or tells the stories), the app-connected Parker Teddy Bear or the Bluetooth-operated “Star Wars” Sphero BB-8 robot featured encryption or not, and these items don’t require users to change default passwords, which make them vulnerable to hacking — although these toys often access less personal information than a smart home speaker or camera would, at least.
So what should shoppers watch out for? Cybersecurity expert Jim Stickley, founder of Stickley on Security, told Moneyish that the three must-have security features include: ensuring that the device encrypts your data; that it makes the user create a new secure password so that the owner doesn’t just run on the weak default one; and that the product pushes automatic security updates instead of requiring the user to apply a patch themselves. “Those are the three things that do you in every time,” he said. “People often get one of these things, plug it in, and leave it, and then they get destroyed,” because they’re vulnerable to hackers.
And if you receive one of these connected devices as a gift before you’ve had a chance to vet it, Stickley recommends changing the password that links your account to the device. And make sure that your home wifi is secure by setting a secure password and checking for any security patches to update your router’s safety features. “The back of your router always has a model number on it, and the name of whoever makes it, like Linksys,” he said. “So go to the manufacturer’s site, type in the model number, and find out if there’s a firmware update — and then it’s actually not hard to apply them. They are generally web-based, and might take you just 10 minutes to click through the instructions.”
See the world with cash-color glasses. Get a weekly digest of personality finance: features, pop-culture and essays. Sign up here.
We Want to
Hear from You
Join the conversation