So, you got an IoT device for the holidays

They see you when you're sleeping.

IoT devices are at once a grotesquerie for the security- and privacy-conscious, and a delicious, convenient poison. And chances are pretty good you got one as a holiday gift.

You might say we're in the heyday of IoT — though a significant number of infosec professionals might be more inclined to call it the apex of the Internet of Shit. They have a point. Even just a glance at recent headlines is enough to convince anyone that the so-called smartness of these products is a bit lacking.

Just last week, an Amazon customer's GDPR request to see his data resulted in him being sent 1,700 Alexa voice files belonging to someone else, which included conversations between two people. The man wasn't an Alexa user himself, but he did manage to figure out whose files they actually were.

Amazon said the situation was the result of human error and an isolated incident. Yet it's hard to shake the feeling that all our misgivings about basically being spied on have been validated. It's probably cold comfort for anyone who got an Echo for the holidays.

Perhaps you got a smart thermostat this year? In January, we reported on an East Coast ISP that decided the best way to crack down on internet bandwidth hogs was to throttle their connection. The ISP warning letter openly threatened suspected file-sharers that they might be cut off from their webcams and connected thermostats. That was bad enough, and it kind of gave connected thermostat makers an idea for soft-sell extortion posing as a subscription service that promises to "enhance" your devices with "efficient settings."

Maybe you got a Sonicare toothbrush and it wants to know your location at all times. Or a hot tub that can be hacked and remotely controlled. What about a connected vibrator that can spy on you? Did you really want those Tommy Hilfiger connected jeans that track you in exchange for "one-of-a-kind rewards and experiences"? Hey, and some people only found out this year that their Vizio TV might've spied on them in 2015.

Yep, it all feels wrong. Surprisingly, California lawmakers have been thinking the same thing. The state's Information Privacy: Connected Devices Act goes into effect January 1, 2020, banning default and pre-loaded passwords.

"The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time," we reported. "According to the bill, it applies to any connected device, which is defined as a 'physical object that is capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address."

Rebellious refrigerator

Remember that time a botnet shut down a huge swath of the internet by using connected devices? Well, that's the threat this bill hopes to mitigate by forcing better password practices on device makers. This makes users have better password practices by extension. But the real problem, of course, is that IoT device companies have been (and still are) terrible about considering our security and privacy. Ten years and counting, and they still just aren't thinking it through.

So if you've read this far and have laugh-cringed along the way about potentially demonic toothbrushes, our collective fear of Amazon becoming Skynet and Ring's scary AI profiling, you may be feeling helpless. Or mad. Or disgusted. All of the above makes sense, actually. It's too late for us to do anything about how the companies screw up. But we're not as helpless as we feel.

If you got anything over the holidays that asks for a password even just once, or that you notice has a password field anywhere: Change it ASAP. Make it something unique, or at least not something on any commonly used passwords list. This stops attackers (like botnets and jerky hackers) from hijacking your device, spying on you or leapfrogging onto your home network to do more nefarious things.

For instance, the one thing that would've prevented a hacker from getting into a man's Nest security camera this month -- and talking to him -- would have been a strong, unique password. "The hacker couldn't see images through the camera and didn't know where Gregg lived, he said. But he told Gregg such information wouldn't be hard to find," reported the Arizona Republic. "The man then recited a password Gregg had used for multiple websites."

App Permissions

One strong way to protect yourself as well as your friends and family, from your connected gifts and their often-invasive, poorly-secured apps, is to prevent them access to your contacts. It may not be possible with some, but do it if you can. The opportunity to say "no" is during the setup process. Doing so will keep attackers and careless companies from scraping your contacts, using them for marketing purposes or putting them in a database profile to sell, rent or trade with third parties (like Facebook does). Remember that story in May, when Amazon sent Echo conversations to a user's contacts? Keeping Alexa out of your address book will prevent "accidents" like that.

If you missed your chance, some allow you to revoke it (they just don't make it easy or convenient). For instance, you can revoke access to your contacts with Amazon's Alexa (Echo) by calling the company's customer service at 877-375-9365. The process isn't quick and will curtail the device's ability to send messages, but as we're all becoming more aware, convenience and security are often at odds.

Another step you can take is to do a little homework on your connected device. Find out if it stores your data and how, and if you can delete it — just so you know your risks. See if the device uses encryption. If it doesn't, think really hard about whether you really want to use it. Search the product's name on Twitter to see if any security professionals are talking about, and what they're saying. Google it in conjunction with the words "privacy" and "security" as well as "hacked" — and check for news articles as well.

It's hard to imagine our lives now without IoT devices. It's painfully obvious that few gave much thought to user privacy and security -- plus, the devices mostly don't work the way they're supposed to. While we welcome their inventions into our homes with a mixture of delight, trepidation and amusement at the humiliation of their security teams, it's good that we're wearing our "cynical" hats. Because it's probably going to get a lot dumber before it gets smarter.

Images: Illustration by D. Thomas Magee (Rebellious refrigerator); Terrence O'Brien (Location Permission)