National Cybersecurity Awareness Month- Beware Smart Devices

October is National Cybersecurity Awareness month and this year marks the 16th annual collaborative effort between government and industry to increase cyber security awareness and provide resources for online safety and security.  Read more about  the initiative and this year’s theme on the National Cybersecurity dedicated website.

In support of this important risk mitigation effort, please enjoy this post about Security Risks with Smart Devices.

Smart TVs
Smart TVs, like smartphones, connect to the Internet and incorporate and support a variety of applications allowing you to stream video, play games surf the internet and check social media. Many models include voice recognition tools for switching channels, searching programs, checking the weather or ordering takeout.  In addition, integration with smart home features enables them to connect with other IoT (Internet of Things) devices like thermostats, appliances, and security cameras.

But is the convenience worth the risk?  In 2018 Consumer Reports found that by exploiting security flaws in the setup, remote attackers can take control of some TVs to change channels, control volume, or open objectionable content.  In July 2018 Senators Markey and Blumenthal sent a letter to the FTC (Federal Trade Commission) raising concerns that federal laws have not been updated to encompass potential privacy issues associated with smart TVs and requested an investigation.

ACR (Automatic Content Recognition)
Smart TVs use ACR (Automatic Content Recognition) to constantly track what is being watched and convey it back to the manufacturer and/or business partner, such as Samba TV.  ACR analyzes pixels to identify every advertisement, TV show, or movie viewed – even those played on DVDs.  ACR proactively compiles data used to identify shows you may be interested in as well as for targeted marketing.  The data can be combined with other personal information to build a profile that is subsequently sold to other marketers in addition to identifying and mapping all associated digital devices sharing the Internet connection with the primary TV.  ACR retroactively provides insight into the performance of advertising campaigns.

It is difficult to review and delete ACR data.  During the initial setup process, tracking practices are disclosed and consent to collect data is requested; however, the opt-in documents may use misleading marketing phrases or are long and difficult to understand.  Consequently, consumers may not realize what they have agreed to.  If declined, a significant amount of functionality is lost including streaming of web-based services, such as Netflix or Amazon.  And there are even some TVs that won’t allow completion of the setup unless you agree to the privacy policy.

Smart TV- Security Best Practices:

  • If you are adamant about preventing data sharing, do not connect the smart TV to the Internet.
  • Isolate smart devices on one network to prevent hackers from accessing devices that contain personal information, such as a laptop.
  • Avoid doing online banking or shopping on a smart TV.
  • Pay close attention and read each screen carefully during setup.
  • If you accept the basic privacy policy, which you will have to do to enable streaming, the TV manufacturer will still get information from the set.
  • Turn off voice recognition features.
  • Turn off personalized advertisement tracking.
  • Keep software/firmware current.
  • During setup, deny ACR.
  • Settings are often deeply buried and difficult to find after the fact; however, resetting the TV to factory settings is an option.

Cables & Other Smart Devices
If you have a smartphone, then you likely have a lightening cable– the cable that connects your phone to your computer and a host of other external devices such as monitors, cameras, USB battery chargers, and other peripheral devices.  Be careful of using a cable that is not your own (e.g. at a hotel) or plugging in the marketing “swag” you might receive, as they can be a security risk.

Hackers are modifying cables to include extra components that allow them to wirelessly take control and remotely connect to a target’s peripheral device.  The cable looks legitimate and will function as expected; however, it is equipped with malware.  Evidence of its existence can even be hidden when the hacker remotely disables it.  Modified cables could easily be swapped out or given as gifts to intended targets.  Just as you would not insert a USB flash drive from an unknown source into a computer, do not use cables or accessories unless obtained from a fully trusted source.

Smart Devices
In August 2019 the Better Business Bureau issued a scam alert warning consumers to exercise caution when using a smart device, such as Google Home, Siri, or Alexa, to look up and dial telephone numbers.

Callers using smart devices are being directed to scammers who create fake customer service numbers.  By paying for advertisements, the sham listing gets moved to the top of online search results, which increases the chances it will be selected.  Consumers have been directed to tech support scams and requests to wire money or pay with prepaid gift or debit cards.

Cables & Smart Devices- Security Best Practices:

  • Always bring your own cable and adapter with you.
  • Do not use cables provided by hotels or airport lounges.
  • Be wary of cables given as gifts.
  • Beware of fake advertisements and obtain contact information from official company websites, invoices, or correspondence.
  • Don’t click on links in emails including bill confirmations, and never log in to a site via an email link.  Instead, open a browser and hand type the website address.
  • Always make payments with a credit card vs. debit card to obtain maximum legal protection against fraudulent transactions.

Author Sasha Aronson

More posts by Sasha Aronson

Join the discussion One Comment

Leave a Reply