Everyday gadgets can pose security risks beyond the microphones on your smart speaker or the camera on your laptop.
Mozilla Foundation, the nonprofit behind the web browser Firefox, created a shopping guide by studying 70 popular internet-connected products and highlighting the minority that actually passed standard security requirements. Some that failed, such as the Anova Precision Cooker Sous Vide or the Amazon Kindle, may not even be the kind of products that consumers generally associate with being vulnerable to misuse of user data.
Mozilla worked with Consumers International, a global consumer-advocacy group, and the nonprofit Internet Society to determine the standards each product should meet.
“This points consumers in the direction of what they should be looking for when it comes to minimum security components,” Ashley Boyd, vice president of Advocacy for Mozilla, told Quartz.
Here is how the requirements highlight the fundamental ways internet-connected products can fail when it comes to protecting your data:
Communications are not encrypted
When network communications are encrypted, it essentially means that only the sender and the receiver are able to access the information, and it can’t be eavesdropped on or modified in transit. If there is no encryption, “the security of the device really depends on the wifi network,” Boyd says. “If they’re connected to an insecure wifi network, someone else who is within range could connect to the product and possibly take control of it.”
Boyd uses the example of the Anova Precision Cooker, whose communications are not encrypted. And since the device can even be controlled from a mobile app using wifi, meaning you can direct it from another room, or as Mozilla suggests, even another continent, a hacker could swoop in and ruin your meal. Another example is the FREDI Baby Monitor, which doesn’t encrypt data. That means that without a secure network, someone else could be monitoring your child, or you.
No security updates
Mozilla’s requirements state that a product must be enabled to support automatic security updates by default. If it doesn’t, this means that companies can’t address vulnerabilities in a timely matter and at scale. If you’re using an internet-connected device that hasn’t been updated in a while, there’s a chance it isn’t fully equipped to deal with the most recent forms of privacy intrusions.
The product accepts weak passwords
Many products come with default passwords (for example, FREDI Baby Monitor’s is “123,” and worryingly, Boyd points out, it’s printed on the outside of the box) that should be changed promptly with a complex replacement. If a product doesn’t have password-strength requirements, consumers might be tempted to use simple ones, making them easier to guess. (This issue is vital when it comes to devices that might need remote password authentication.)
There is no easy way to reach vendors
If something goes wrong—your data has been leaked or there’s a hardware problem—it’s logical that the manufacturer should be available to help. However, Rebecca Ricks, a researcher at Mozilla who worked on the shopping guide, told Quartz that it was difficult to obtain information from many companies on privacy and data protection. While consumers might only reach out to vendors in a worst-case scenario, having no easy means of communication suggests that problems can’t be solved easily.
“If we can’t get that information as researchers, how would a consumer?” Boyd says.
The product’s privacy policy might be indecipherable
How can you protect your privacy if you don’t understand the rules that govern it? Sifting through complicated security jargon can be a drag, and as Mozilla’s research shows, requires a reading level beyond some users. How to opt out of data collection, delete your data, or know that your data is being sold can elude many consumers.
Mozilla used Carnegie Mellon University’s Usable Privacy Policy Project, which has an algorithm to determine reading levels to assess privacy policies. Research showed that the most common reading level for privacy policies for popular products was college level (grade 14).
“You shouldn’t need a college degree to understand the privacy policy,” Boyd says. “If that’s the baseline of where they’re putting the information, then we’ve got a real problem.”