Britain's National Cyber Security Centre (NCSC) wants owners of baby monitors and smart CCTV cameras to take some basic security precautions.
The GCHQ-owned infosec arm of government today published what it hopes is simple guidance that can be followed by ordinary people who haven't got time to immerse themselves in the technobabble-laden doom and gloom of the cybersecurity world.
Dr Ian Levy, the NCSC's technical director, said in a canned statement: "Smart technology such as cameras and baby monitors are fantastic innovations with real benefits for people, but without the right security measures in place they can be vulnerable to cyber attackers."
Those security measures boil down to three steps in GCHQ's own words, which we reproduce here in full:
- If your camera comes with a default password, change it to a secure one – connecting three random words which you'll remember is a good way to do this. You can usually change your password using the app you use to manage the device.
- Keep your camera secure by regularly updating security software. Not only does this keep your devices secure, but often adds new features and other improvements.
- If you do not use the feature that lets you remotely access the camera from the internet, it is recommended you disable it.
Caroline Normand, director of advocacy at consumer group Which?, chipped in to add: "Which? has repeatedly exposed serious security flaws with devices including wireless cameras and children's toys, so mandatory security requirements and strong enforcement that ensures manufacturers, retailers and online marketplaces are held accountable for selling insecure products is essential."
Jake Moore, cybersecurity specialist at ESET, said of the efforts: "Password managers should not be feared; many people think that putting all their passwords in one place on the cloud will make them somewhat vulnerable to attack. However, it's the opposite that is true. The clever use of two factor authentication, 2FA, and robust encryption are a far stronger mix than having to remember hundreds of accounts each with three random words."
The advice comes on the heels of proposed new laws that would force manufacturers to stop baking default passwords into new devices, provide a public point of contact for reporting security vulnerabilities and to state the product's useful lifespan, ie, for how long security updates will be published. Even those laws might not be enough to truly secure Joe and Josephine Bloggs, however.
Insecure smart home devices have long been known to techies as a rich source of vulnerabilities for criminals to exploit. In lawsuit-happy America, companies such as Amazon have had sueballs flung at them for perceived problems with security – and tried to fend these off with a "privacy dashboard" that largely fell flat among techies. ®