10 months ago



comment VOICING DEEP CONCERNS The recent revelation (in a blog) by security researcher Troy Hunt that data from CloudPets teddy bears was being leaked and ransomed online, exposing more than two million youngsters' voice messages, is truly unsettling. The allegation is that the toymaker, California-based SpiralToys, was using an insecure MongoDB database that required no authentication. At the time of going to press and to the best of our knowledge, the cuddly toys may well still have been on sale in the UK. We turned to an expert to get his opinion on this bizarre and unsettling incident - John Shier, senior security advisor at Sophos. He sees this as a perfect example of what can go wrong with IoT, in this case when the backend systems to which the devices are connected are not implemented properly. "This company clearly should have implemented better security and either chose not to or didn't understand the implications of not doing it. What's really disappointing in this case is that it wouldn't have cost anything to at the very least apply a password to the database. Until IoT device makers start to take security and the privacy of their users seriously, we will only see more of these kinds of breaches." The cry is a familiar one, but what should anyone do to avoid being a victim in this manner? Shier had some generic tips to consider when connecting an IoT device to your home network, including: Google search to see if the 'thing' has been attacked already- often it is good to choose a brand you think will be around for a year or more, so you have someone to ask for updates, if something bad occurs Don't connect devices to the network, if you don't have to - if all you want from your TV is to watch broadcast television, you don't need to connect it to the network. Eliminate unnecessary internet connections when possible Make a guest network for your 'things' and connect them there - if your home Wi-Fi router allows you to create separate guest networks, you should do so. This will keep untrusted devises off your regular network Keep the firmware up to date on all of your IoT devices - patching is just as important as it is on your PC. It can be time-consuming to figure out whether updates are available, but why not make a habit of checking the manufacturer's website twice a year? "Treat it like changing your smoke detector batteries," advises Shier. "A small price to pay for safety and security." Brian Wall Editor Computing Security EDITOR: Brian Wall ( NEWS EDITOR: Mark Lyward ( PRODUCTION: Abby Penn ( LAYOUT/DESIGN: Ian Collis ( SALES: Edward O’Connor ( + 44 (0)1689 616 000 PUBLISHER: John Jageurs ( Published by Barrow & Thompkins Connexions Ltd (BTC) 35 Station Square, Petts Wood, Kent, BR5 1LZ Tel: +44 (0)1689 616 000 Fax: +44 (0)1689 82 66 22 SUBSCRIPTIONS: UK: £35/year, £60/two years, £80/three years; Europe: £48/year, £85/two years, £127/three years R.O.W:£62/year, £115/two years, £168/three years Single copies can be bought for £8.50 (includes postage & packaging). Published 6 times a year. © 2017 Barrow & Thompkins Connexions Ltd. All rights reserved. No part of the magazine may be reproduced without prior consent, in writing, from the publisher. March/April 2017 computing security @CSMagAndAwards 3