If companies like Amazon, Google, or Facebook fail to provide adequate protections, they could face lawsuits and government crackdowns over their technology
Alexa, Google Home, and Apple's Homepod are the convenient smart speakers that do our bidding within our homes, but who has access to the data we provide? Concerns over surveillance and data breaches have generated alarm over the amount of personal information we store in home technology, including our location, our home layout, and our voice. Such wariness is understandable, with Google Home Mini initially listening to its owners in the bathroom and uploading the data to Google's servers. After it was exposed as a glitch, the fault was quickly corrected, but the tech's capability of listening in when deactivated is proven.
However, Jake Williams, founder and president of cybersecurity firm Rendition Infoseek, says the average user isn't likely to be targeted by hackers. "Would-be attackers] don't care what you're talking about at home, they're looking to monetize data." He adds, "The level of effort to do it is too high in the vast majority of cases. Your average American just isn't that interesting."
In order to steal data from a home device, a would-be hacker would need "undetectable audio commands, eavesdropping software and targeting devices connected on a network." Since home tech doesn't store information as sensitive as credit card information, social security numbers, or passwords, it's simply not worth the effort. Of course, there are exceptions, as hackers could opt to target individuals in order to extort ransom payments for the data, but these instances are unlikely and rare.
Of greater concern is a massive data breach at one of the company clouds where customers' information is stored. While individual users can set up two-factor authentication and limit the number of external services they link to their home devices, once the information is collected and stored it's up to the company to provide protection. If companies like Amazon, Google, or Facebook fail to provide adequate protections, they could face lawsuits and government crackdowns over their technology, according to Bloomberg Law. Class action lawsuits, regulatory enforcement, and publicity damage could obviously harm company revenues if a data hack were not prevented.
Melissa Kern, piracy and information security law partner at FrostBrown Todd LLC,said, "If there is a security breach that results in unauthorized access to the personal data they have collected, whether due to a security flaw or not." As a result, Amazon and Google run product security tests to check for major flaws. Large tech companies also test the data transfer between personal devices and the cloud, in order to curb vulnerabilities to hacking.
Of course, there are steps consumers can take to protect their information. The straight forward protections include the smart user management. As consultants advise, "For those who are concerned that Google Bots are listening to everything you say, you might find some comfort in knowing that Google Home listens and even processes who is talking locally. It uploads information to the cloud when the wake word, 'OK, Google' or 'Hey, Google,' is spoken or when you long press the touch interface at the top of the device (except for Mini)." Google Home also has indicators that alert you when the device is listening in.
Ultimately, it's up to the consumer to make smart and secure choices with their data. Limiting how many devices are linked to private accounts is an easy but powerful first step. The data clouds hold all the information the device interprets, whether insignificant, unintentional, or highly sensitive.
Is it even worth changing your password?
As threats to personal cybersecurity become more and more acute, many websites have created mandatory password update policies, forcing users to switch their login info every few months. This is true of most universities and certain brands of operating systems–Microsoft is notorious for regular prompting password changes. The theory as to how this helps keep you secure is simple. By regularly changing your passwords, you limit the amount of time other people who've stolen your password can access your account. Unfortunately, there does not seem to be much evidence that repeatedly changing your passwords actually works to make your accounts more secure.
According to a 2010 study conducted by Microsoft, mandatory password changes costs billions of dollars in productivity for the companies that enforce them. These changes usually force workers to comport to stringent requirements, such as using a specific number of capitalized letters and special characters. According to the study, all this does is make remembering one's password harder. Most people just make a slight variation to their already existing password, and In some cases they even put their new password on a sticky note near their computer, for anyone walking by to see. On top of this, password changes to high-risk accounts are largely ineffective. This is because when a hacker gets the login information to, say, your online bank account, they aren't going to sit around constantly logging on to spy on your finances. They're going to transfer your money as quickly as possible, and unless you change your password at the exact instant in which they're accessing your account, all the mandatory updates in the world won't help you. Essentially, mandatory password changing on most accounts is at best a meaningless headache and at worst a huge time waster.
There are certain types of accounts in which hackers may linger to gather certain information about you. If a hacker gets into your Facebook account, they may stick around for a few months, impersonating you or trying to use the things you've posted as a means of gaining access to your other accounts by determining the answers to your security questions. In this case, it may be worth changing your account regularly as a preventative measure. That said, the methods that today's hackers use are usually advanced enough to crack most passwords.
Dictionary attacks as their name implies, use a program that randomly combines and words from the dictionary, quickly guessing any password that doesn't contain proper nouns,numbers or special keys.
Brute force attacks take a serious amount of computing power but have the potential to guess any password if given enough time. They simply guess, very quickly, every possible password variation. The longer your password, the safer it is.
Rainbow table attacks are an advanced method of breaking a website's encryptions after stealing its password database. These databases are easily accessible but most are protected by cryptographic hash functions. These are functions that encrypt passwords, with minute changes in input drastically affecting the function's output. Rainbow tables often provide a more feasible means of attack than using brute force, as the passwords contained in them are already hashed, making comparisons much easier.
Even if the websites you use salt (attach random data to) their passwords and encryption hashes as a preventative measure, this may not be enough. When the passwords, usernames and personal information of Ashley Madison users were leaked, Ashley Madison–probably due to the nature of the site's information–was using an advanced function called bcrypt to salt all of their hashes. Unfortunately, they also used the antiquated but still very popular MD5 encryption function for certain portions of their database. Hackers didn't even need to attack the bcrypt in order to get the data they wanted. They just hit the MD5 tokens and were able to reveal most of the information on the site.
This idea of a hacker is a bit cartoonish
Unfortunately, these vulnerabilities are more or less systemic. There's no way to convince the owners of the websites you frequent to update their encryption functions or any concrete way for you to protect your passwords. In reality, your passwords are never truly safe, unless they're protected by bcrypt, which is really only safe until some cracks it. Your chances of being hacked, regardless of your password's sophistication, is virtually 100%. Hackers have programmed bots to do the heavy lifting and most attempts at hacking occur automatically. To make matters worse, there are large swaths of web that aren't even encrypted, and the areas that are, have been proven susceptible to attack. This means the answer to the question of how often you should change your passwords is relatively simple. You only need to change them if you think someone else has direct access to your account specifically. An angry ex or someone spying over your shoulder on the bus is a much more pressing danger than some anonymous hacker online. The truth is, changing your password won't do much to stop people who know what they're doing. Passwords only protect you because it takes effort to hack them, not because they're impenetrable.
Do the benefits of knowing a child’s location outweigh the risks of giving that information to hackers?
For busy, working parents, parents of children who take public transportation to school, parents of children with special needs and parents who simply want to know where their children are in case of emergencies, more and more GPS devices promise to track a child's location and broadcast it to the parents' phones. These watches, wristbands and phone-sized devices are immediately attractive to a worried parent. Many offer features beyond tracking, including communication, distress signals, augmented reality, water sensing and more. What parent doesn't want to better protect the children by keeping them away from dangerous places and situations?
But any electronic device is susceptible to hackers and a GPS-enabled communication device attached to a child is dangerous in the wrong hands. How can a parent weigh the benefits of knowing their child's location with the risks of exposing that location to hackers?
It starts with considering the situation: is a GPS tracker really the solution to a concerned parent's worries? Of course, there are unquestionably situations that call for better surveillance of a child's location, like parents who work and children who travel to school by themselves. Communication and awareness are essential to a child's safety. If used responsibly, this monitoring-from-a-distance could even give a child of a certain age more freedom without sacrificing protection.
It is already becoming common for pre-teens to have their own smartphones. A parent can use the phone's built-in features to track the child's location. Cell carriers also offer tracking features, such as AT&T's FamilyMap and Verizon's Family Locator.
But for a younger child without a GPS-enabled phone, a GPS tracker designed for kids might be a quick way to better peace of mind. A parent who's shopping for these trackers (or who's already using one) needs to understand the risks, where they come from and how to defend against them.
Norwegian researches tested four kids' smartwatches last year and were surprised at the lack of security of the devices. They were able to hack into them relatively easily, collect private information, view the user's location and even send false location info to the parent's phone. One watch's SOS function didn't work. Some of the watches' data was transmitted without encryption.
A serious point of danger in some watches is their communication ability. Watches that allow the parent and child to communicate via voice or text can also allow hackers to communicate with the child, pretending to be someone they know.
Last year, the European Consumer Organization's (BEUC) published a warning against smartwatches designed for children. The German telecom agency, Bundesnetzagentur, banned the watches and asked parents to destroy any they'd already purchased. And the FBI issued a general warning against internet-connected devices and the privacy risks that come with them.
It is important to choose a device from a reliable or expert-endorsed company that focuses on security and privacy.
Verizon sells its GizmoGadget for $150. It displays up to ten contacts for one-touch voice calling or sending short text messages. It's waterproof, comes in different colors and even features mini games and fitness challenges, all while tracking a child's GPS location. AngelSense is a GPS and voice monitoring device designed specifically for children with special needs. It is packed with features beyond GPS tracking, including noise monitoring, voice calling, a timeline view of the child's day, "runner mode" for a wandering child, an alarm, indoor location and more.
The truth is, smartwatches are internet devices that are vulnerable to skilled hackers and that store GPS data that could lead a dangerous person to a child. There are obvious benefits to using a device to track and locate a child at any time. But, at this early point in the devices' development, parents should research carefully and choose security and reliability over features or price.