What security risks are hidden in your Christmas presents this year?
Once upon a time, a Christmas tree surrounded by elaborately wrapped gifts represented a security threat because the festive season has traditionally been the busiest time on the burglar’s calendar. These days, if the festive wrapping paper, gift boxes, cellophane and ribbons under your tree disguise tech toys and mobile devices, the threat could be more invisible – and potentially even more costly.
Tech toys, WIFI enabled games, wearable devices, tablets, mobile phones and even big-ticket items like laptops are already predicted to be among some of the most popular gifts this Christmas.
The Toy Retailers Association has revealed its list of the 12 toys expected to be most popular at Christmas 2015 in the UK, predicting the number one gift could be Vtech’s Baby Toot-Toot Friends Busy Sounds Discovery House. Did we just say Vtech?
According to gizmag, today’s kids expect their toys to connect to the internet, pair with smart devices, and let them join in the latest tech trends, often before their parents. However, while there are good reasons parents should think twice before buying tech toys for their kids, as you will read below, security risks aren’t just confined to gadgets for children.
As the concept of the Internet of Things (IoT) rapidly becomes reality as more and more objects are embedded with electronics, software, sensors and network connectivity that enables them to collect and exchange data, how many of your Christmas gifts could be the equivalent of the Trojan Horse? It was a decisive end to the Trojan War when the Greeks used subterfuge to enter the city of Troy, hiding some of their army inside a huge wooden horse. After pretending to sail away, the unsuspecting Trojans pulled the horse into their city as a victory trophy. Later that night the Greek force crept out of the horse and opened the city gates for the rest of the Greek army to enter and destroy the city. What attackers could be potentially unleashed in your Christmas gifts?
Think twice before buying the following gifts
From big brand gaming consoles to experimental wearable devices, many manufacturers are struggling to keep up with hackers and attackers.
Christmas Security Risk #1: Gaming consoles that ask for too many personal details
Gaming consoles can be hacked and personal data stolen. According to many commentators, Sony’s Playstation is most likely to be targeted by hackers after personal details about millions of Playstation Network (PSN) users were stolen back in 2011. Many believe that Sony has not responded appropriately and continues to ask for the type of personal and financial data that banks do, without the same security measures in place. Recently some hackers set out to prove that that cyber security at Sony remains weak by unleashing a massive distributed denial of service (DDos) attack.
Christmas Security Risk #2: Tablets and apps that store data on the manufacturer’s server
When tablets, or apps that run on them, ask children for any personal data (such as names, addresses and birthdates), ask them to upload a profile photo, record audio conversations or store chat logs, it potentially puts your family at risk if these files are stored on the manufacturer’s servers.
A hacker took advantage of this last month, stealing data from 4.8 million customers including gigabytes worth of profile photos, audio files and chat logs sitting on Chinese electronic toy manufacturer VTech’s servers, after VTech had encouraged parents to take the headshots of both themselves and their children and use them with apps like Kid Connect that enable them to interact with each other. The hacker then downloaded almost 200 gigabytes’ worth of these photos as well as chat logs and recordings of conversations. Many have questioned why VTech stored the data on its servers in the first place and while the company responded by switching off the servers, blogger Dan Goodin says “it was of little help to the millions of people already affected by this epic privacy blunder”.
Christmas Security Risk #3: Wi-Fi enabled dolls, teddy bears and toy robots
Wi-Fi enabled dolls, teddy bears and toy robots pose a risk because hackers can extract information including Wi-Fi network names, account IDs and MP3 files. Hackers could also hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password. But this is just the tip of the iceberg. Attackers could also intercept communication between a child and his or her toy. For example, Hello Barbie enables real-time conversations between children and the doll by recording audio and uploading it to the cloud for instant processing of artificial intelligence-based responses. Security researcher Matt Jakubowski recently managed to hack the Hello Barbie operating system and says the information he’s been able to extract would enable the attacker to find someone’s house, access their home network and retrieve everything that the toy has recorded.
Christmas Security Risk #4: Smartwatches
A research study conducted by Hewlett-Packard released in July this year analyzed 10 smartwatches and found that every single one of them contained significant vulnerabilities, including insufficient authentication, lack of encryption and privacy concerns. The top selling smartwatch for kids last Christmas was the Vtech Kidizoom, designed for 6-12 year olds. While it wasn’t included in the HP research study, Vtech’s recent security breach with its tablet (see #3 above) should put parents on watch.
Christmas Security Risk #5: Fitness trackers
Wearable devices for grown-ups like Fitbit Force, Jawbone Up, Fitbug Orb, Nike FuelBand SE store vast amounts of personal data about the user. The devices link the gathered information to a user profile connected to a laptop or smartphone through a Bluetooth connection and also send the information to the cloud for safekeeping. The potential for a hack exists during the data exchanges. While a lot of the information from the device (such as number of miles run) is not sensitive, it gives hackers backdoors into laptops and smartphones loaded with personal information.
Christmas Security Risk #6: Gaming consoles that don’t turn off
There is a risk that hackers could exploit gaming consoles while they are apparently lying idle. Some believe this risk is much greater now that there are an army of devices that not only allow, but also expect, to be remotely controlled and reprogrammed, like the Nintendo Wii, which can communicate with the Internet even when the power is apparently turned off. This is because “off” doesn’t always mean “off”, it can mean “on standby”. Security experts advise that if users expect the Nintendo Wii to be truly off, they need to pull both the power plug and Ethernet cable. If it’s battery powered or you’re on WIFI the only way to know you are completely secure when not using the Wii is to switch off the wireless network.
Christmas Security Risk #7: Smartphones and their apps
A few years ago, the European Union Agency for Network and Information Security identified the top 10 security risks for smartphone users and these pretty much remain the same today, although the popularity of apps like WhatsApp that have attracted more scammers, elevating the risk of phishing to a new high.
Here’s what we think are today’s top risks:
- Phishing attacks – an attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or text messages and emails that seem genuine. See our recent WhatsApp blog.
- The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it.
- The smartphone is decommissioned improperly allowing an attacker access to the data on the device.
- The smartphone has spyware installed, allowing an attacker to access another’s data but actually making them just as vulnerable. The majority of these “spy apps” are actually scams that load malware onto the would-be-spy’s phone.
Christmas Security Risk #8: Toys with microphones and cameras
Toys that contain microphones and cameras could theoretically listen in on conversations, spy on children and control home appliances without parental permission.
Google has recently patented technology that enables all of this.
Christmas Security Risk #9: Giving someone a hug
With all the risks inherent in digital gifts, why not try a non-digital gift like a “hug” this festive season? The only security risk is that you might get a hug in return! Actually, Christmas is not about giving gifts, but giving. So think about not only giving someone a hug, but also giving the gift of your own presence, spending time with your children, family and friends, instead of just buying another gadget to have them entertained.
And if we’ve completed scared you off buying a physical gift entirely and you’d rather donate money to a charity on behalf of your loved ones, then follow these precautions because scammers can take advantage of those who are trying to be generous this Christmas:
- Always verify that the organization is authentic and not a fake clone of a well-known charity
- Never donate if some unknown entity/person asks you do so by email
- Do a Google search to see if there are any reports that the charity is a scam, or has been targeted by scammers.
Christmas Security risk #10: Socks that aren’t made with natural fibres
Socks that aren’t made with wool or cotton come with their own inherent risks. You might have to open every door and window to air out the house because of bad foot odour, making you vulnerable to an old fashioned domestic burglary!
Speaking of burglaries, see our list of other cyber-related Christmas security threats below…
Other cyber-related security threats at Christmas
Cyber-related security threats at Christmas don’t just come neatly wrapped. It’s important to be security conscious wherever you’re shopping – whether it’s online or at a bricks and mortar store – and when you’re not home.
- Always remember you should NEVER send your full credit card details (name, number, expiry date and security code) by any non-encrypted channels such as email. The details must be sent exclusively via encrypted websites that use “https” instead of “http” in the website address.
- If you’re using a credit or debit card either in-store or online, check your bank statements regularly – even now that chip technology, which stores data on integrated circuits rather than magnetic stripes, has become the gold standard, stolen card data can still be used for fraud in situations where a card is not physically present because other people can use the stolen card details for online purchases.
- Many security experts also believe retailers are more at risk during the festive season. Perhaps reconsider shopping online during the Christmas peak-trading period, when DDoS traffic could be disguised as peak sales traffic and may not be identified as related to an attack.
- Many retailers now encouraging you to download their in-store apps, so be aware that these can also be vulnerable to attacks and security breaches. Ask questions about how your personal data will be protected. Use only the tried and tested apps – be very wary of being an early adopter in these cases. (You might also want to ensure you’ve got the latest version of Emsisoft Mobile Security installed.)
- With online shopping becoming more and more commonplace, never give permission for deliveries to be left outside in a visible place as it provides a clear signal to would-be burglars that nobody is home.
- Don’t leave discarded boxes of expensive items (e.g. TVs, tablets, desktop computers) outside the house after Christmas. They are to burglars what honey is to bees – and if a thief is trying to decide which house to break into in the street, it makes you the most obvious target.
What to do before you connect…
While unwrapping a shiny new gadget might well bring joy on Christmas day, some security experts believe the problems could really start when people try to connect such devices to their home or office networks. There have been recent reports of so-called “trojanised adware” affecting Android phones and a new iOS malware called XcodeGhost. Usually applications are not allowed to access the files created by other applications, however with root access, which is enabled by both the Android and iOS malware, those limitation are easily bypassed. A team of Security experts are concerned it is only a matter of time before sophisticated attacks can exploit the potential of mobile devices to act like a backdoor to office networks.
If you are planning on buying either yourself or someone you love a shiny new Windows computer or laptop, it’s a good idea to invest in some solid protection. When you’ve got the latest version of Emsisoft Anti-Malware installed, you can be worry-free about malware this holiday season.
Emsisoft Anti-Malware & Emsisoft Internet Security 18.104.22.16884 released