Practical privacy and simple cybersecurity.
TheNewOil.org

Some Christmas Gift Tips

According to The Atlantic, there are an estimated 526,000,000 kids under 14 who celebrate Christmas and therefore receive presents around the world. Logically, if we expand that number to include adults who receive presents on or around December 25 – regardless of religion – that number rises exponentially. While traditions (and even exact dates) vary around the world, gift giving around the Christmas season seems to have become a pretty common global phenomenon. Therefore, if you’re reading this blog post, it’s highly likely that you yourself got some gifts recently. So this week, I want to share some tips for any electronic gifts you may have received.

1. Be Mindful of Your Trash

First and foremost, let’s talk about a bit of practical advice: the left over trash. If anything can be recycled, please do. (Don’t bother with plastics.) If anything can be re-used – like gift bags or boxes – I encourage you to stash them away for next year. (Maybe make note of who gave the bag to you so you don’t look cheap by regifting them the same bag next year.) But for big, expensive items, don’t put the boxes and bags on the street corner for trash pickup. Things like TV boxes, for example. There’s an urban legend – even acknowledge by the police – that thieves look for such items to help pick which house to target next. If you’ve got a bunch of boxes for new computers, Alexas, and Smart TVs, you’re basically waving a big flag to rob you. While Snopes argues that there’s no evidence that this has ever happened, why take the risk? I strongly encourage you to break down your trash and make it less obvious.

2. Internet Connected Devices

Whatever gifts you got this year, I’m willing to bet that at least one item has internet connectivity. Maybe it’s the new Smart TV or a toy for your kids. It seems like every few years people just latch onto some trendy buzzword and then everything has to have that thing shoved into it regardless of whether it actually needs it or not: apps, blockchain, internet connectivity, etc. Many, many toys and items these days come with internet connectivity and apps, even if they have no reason to. (I once heard an ethical hacker say he got access to a target by exploiting the coffee pot, which was – of course – running an admin account on the company WiFi.) So the first question you should ask yourself before rushing to connect that [insert item here that obviously doesn’t need an internet connection] to the internet is “does it actually need it?” Sure, your smart TV can connect to the internet, but do you even use streaming services? If you’re not a streamer, leave it offline. Your kid’s toys 100% do not need to be connected to the internet (with a few exceptions, like tablets). If it doesn’t actually need internet, don’t connect it in the first place. (Note: some devices unfortunately will connect to any open WiFi whether you approve it or not, so first make sure your device isn’t already attempting to do so. If you have a device that does this, I encourage you to connect it to your own network and follow the rest of the tips in this post to prevent someone else from connecting to and abusing your device.)

Side Note: Why Does It Matter?

You may be wondering “why would anyone even bother connecting to my device in the first place?” First off, if a criminal accesses one device in your home, they’ll frequently be able to use that to access other devices. Think of it like your physical home: if you get through the front door, you can usually use that access to easily walk into other rooms of the house unimpeded. Just like your physical home, once a criminal has access to one unimportant device – say your Smart TV – they can pivot into other devices that do hold sensitive information, like your computer where you check your bank account or your smart phone that has sensitive photos.

“But I’m not even doing anything interesting,” you might say. “Why would they bother hacking my smart TV in the first place?” Maybe you’re not. But the internet has made the criminal’s investment in attacking you negligible. Continuing with the physical home example, unlike your physical home the internet connects all parts of the world instantaneously. In the physical space, you only have to worry about nearby threats – in other words, the world’s best lockpicker isn’t going to fly in from Australia or Spain to come pick your lock (credit to Bruce Schneier for this analogy). You’re just not worth it. But in the digital space, that flight takes about two seconds and absolutely no cost. Suddenly it does become worth it just to give it a quick try. So while you may not be a famous celebrity or a business tycoon, attempting to hack you is pretty much the same as trying the doorknob of every door you pass while walking by. It’s not hard, it takes very little time or effort, so why not? (And unlike trying every door you walk past IRL, an attacker is highly unlikely to be noticed and flagged by the Neighborhood Watch.) In fact, most attacks these days are automated, so “hacking you” isn’t even something that a criminal does in the sense you’re thinking of. Most criminals “hack you” while they’re busy making a sandwich, sleeping, or watching Netflix. Their machine does 90% of the work automatically – sometimes even trying out different username/password combos. The attacker just checks the reports every so often to see what was found and what they have to work with.

So what they do when they get in? It depends. The vast majority of these automated accesses result in planting malware on your device, usually for use in a DDoS attack (the ones where millions of devices ping a website at the same time and cause it to go down) or mining cryptocurrency. These typically result in slower devices and network speeds for you, so even if you don’t care about the ethics or legality of these abuses you still suffer negative impacts for it. More advanced malwares may attempt to intercept the traffic on your network or place malware on other devices and look for additional data and credentials, like your bank login or sensitive communications. Then they can blackmail, drain your bank account, any number of malicious things.

Now that we’ve had this talk, let’s get back to the advice.

3. Default Credentials

Right now, there’s an epidemic of exposed devices online. How are they exposed? Is it through malicious software? Open ports? Outdated firmware? Well yes, but there’s another reason that’s far more prevalent than any of those: default login credentials. You see, a lot of people get a new device and just plug it in, get it going, and call it good. Little do they know that quick Google search for “[make and model number] default login” can often turn up the factory-preset credentials. And most routers, for example, will show you the exact make and model number on the login page. In other words: as I mentioned earlier, criminals have bots that automatically scan every IP address and port number they can think of to check for any hits. Once they get a hit, they can easily see the make/model of the device and software, then they can quickly search dozens of totally free, totally legal databases for the default password, and then come back and try it. Again, this is often 100% automated, and now your device is compromised. And to think, you can prevent almost all of this just by taking five seconds to change the default password. For more information on how to pick a good password and remember it, check out this page.

4. VLANs (& VPNs)

Virtual Local Area Networks, or VLANs, are on of the most criminally underrated things that are available to modern consumers. Once again, using the physical house analogy, think of VLANs like shutting and locking the doors to each room. By putting different devices on different VLANs – all cell phones on one, all computers on another, all IoT devices on a third, etc – you’re effectively compartmentalizing each device. So now, let’s say that an attacker gets access to your Smart TV – which in the house example is a bedroom. In addition to the initial hassle of finding and accessing your one room, the attacker now has the additional challenge of opening each door into each other room to gain access to all of those devices and their data, too. Most mid-level and higher routers now come with the ability to set up multiple VLANs and configure them any number of way. To give you some ideas, in my home we have a guest WiFi VLAN, our own WiFi VLAN we use for our phones, a VLAN for the Smart TV (our only IoT device), and a VLAN for the game consoles. If your router doesn’t support VLANs, a cheap alternative is to simply go buy a second router, connect it to your main router, and then put all your IoT devices on the second router. This will accomplish the same goal, and can be done for the cost a $20 router from Target.

Note: a subnet and a VLAN are similar, but different. A VLAN is actually separated and firewalled from other VLANs on the network. So if you’re tech savvy and you simply decide to assign different subnets yourself, that may help to some extent but it’s not the same as an actual VLAN.

You may also wish to put all your devices on a VPN. This is an entire discussion worthy of a separate blog post, but long story short is that a VPN only does two things: hides your traffic from your Internet Service Provider (ISP) and gives you a different IP address. Both are valuable things that I believe are worthwhile, and I strongly encourage you to put a VPN on your router to protect your IoT devices, but just remember that VPNs – no matter where you put them – are not silver bullets that magically make you hacker- or tracker-proof.

5. Default Settings (& The Privacy Policy)

Finally, the last tip I have for you is to carefully check each setting on your new device. Many devices nowadays come with an option to disable or limit the sharing of information. While I’m skeptical that this will completely eliminate data sharing, it reduce some of it and helps make a statement that you don’t wish to be tracked. Two factor authentication is another powerful security measure that’s becoming more widely available in recent years, so be sure to check your account settings for the new device and see if you can enable that. Needless to say the exact range of options varies from device to device and company to company, but be sure to sit down and know what your options are and tweak them for an appropriate level of privacy and security.

The last thing to do before unleashing your new device gift into the wilderness of your home is to read the privacy policy. As I write this, I suddenly realize I’ve never written a blog post about how to read a privacy policy. That’s now on my schedule and I will rectify that. In the meantime, know that there are two main sections I pay attention to: “What Data We Collect” and “How We Use That Data.” (The exact names of each section may vary, but it’s usually something along those lines.) Most privacy policies are intentionally written to be very vague to give the company more leeway and less culpability, but they will still give you a pretty good idea of what the company collects and how (ex, “any information you willingly add to your online account such as name and email address” or “geolocation data collected from the app.”) This will help you make responsible decisions about when and where the device can and should be used and any additional protections you may need to take for it.

Hopefully this post has been helpful. Hopefully you were given some gifts that actually add value to your life. Technology is a double edged sword, and it can bring some really cool, convenient, and even life-changing or life-saving things into our lives, but it can also bring some trouble, harms, and risks, too. Be sure to do everything your power to manage those risks and make technology serve you instead of the other way around. Happy holidays to all those who celebrate (and for those who don’t, happy Saturday).

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...