Customers who fail to secure their Internet of Things (IoT) devices are still at risk of inadvertently revealing their personal information to others.
According to the Information Commissioner's Office (ICO), the UK authority which is responsible for enforcing the Data Protection Act of 1998, people are still leaving their devices unsecured, and manufacturers are still not incorporating adequate privacy safeguards into their products.
The consequences of such inaction could be severe. As the ICO explains in a blog post:
"This means Internet of Things products such as baby monitors, music systems and photo or document storage, which can be accessed online, are at risk of revealing your personal details to other people. A lack of security when it comes to IoT devices could mean that a search engine is used by criminals to locate vulnerable devices and then gain access to them or others on your home network. An attacker could then use your equipment to mount attacks on others or take your personal data to commit identity fraud."
Two years ago, news first surfaced of a Russian website that ran footage from over 73,000 exposed IoT webcams without the owners' knowledge.
Not much has apparently changed since then.
To help protect people's privacy, the ICO recommends users take the following steps to secure their IoT devices:
The ICO will continue to work with manufacturers to help them design more secure products in the meantime.
As a spokesperson for the ICO told Ars Technica UK:
"[Manufacturers should] subject IoT devices to a robust security test before launch and for every subsequent firmware update. They also need to commit to supporting devices for a reasonable length of time following launch and act quickly on reports of security vulnerabilities. They should also make the devices 'secure by default' and make the user interface intuitive. Security should not be left up to the individual to configure the device through a difficult to navigate user interface."