When Good IoT Toys Go Bad


What’s on your wish list this holiday season? If voice activated devices, drones, Internet-connected toys and home automation gadgets were in your shopping cart on Cyber Monday, you’re in good company. And you’re a target — along with everyone else buying Internet of Things (IoT) devices.

Gartner forecasted there will be 8.4 billion IoT devices in use by the end of 2017, up 31% over 2016, with consumer applications are over 60’% of total IoT market.

A November survey of more than 1,000 US adults by Keeper Security broke down the “things” respondents intend to purchase for Holiday 2017: 53% are toys; 23.6% are wearable devices such as fitness monitors; 22.4% are home security devices; and 22.4 are other home devices such as smart TVs, remote controlled thermostats; home security systems; streaming security cameras.

The survey found a disturbing downside to the excitement around IoT, however — security of these devices is a dangerously distant priority.

  • 75% of consumers in the 25-34 age range are not even aware that these devices arrive from most manufacturers with simple, pre-set default passwords.
  • Half of this group who own IoT devices neglect to change the pre-set passwords
  • Two thirds of this age group (the most active buyers of IoT devices) aren’t aware of the growing concern around IoT security.
  • And 65% say they don’t seriously evaluate the security of IoT devices.

Kaspersky Lab researchers recently selected eight random IoT devices – ranging from a smart iron to a smart spy vehicle – and half were hackable due to weak password settings. This included having a default password or an inability to change the password, while in some cases the password was the same for every device across the product line. Only one device met the bar for security requirements.


Connected toys and cameras may seem innocent, but poorly secured IoT devices can become a gateway to cyber disaster.

You may remember last year’s massive distributed Denial of Service attacks. Hackers easily broke into more than 100,000 IoT devices, including security cameras, baby monitors, and others. They created a large botnet—a centrally controlled, infected network of internet-connected devices. They then used the botnet to launch an attack on a major Internet backbone company, Dyn, which left millions of people and businesses without service.

According to the 10th annual Verizon Data Breach Investigations report, 81% of hacking related breaches involved stolen or weak passwords. By hacking IoT devices, criminals can blackmail people and businesses, or spy on them. In some cases, corporate and hospital data records have been held for ransom.


The week after the news broke about the epic data breach at Equifax that could affect over 200 million Americans, the company was involved in an entirely new breach in Argentina.  This time the vulnerability wasn’t due to an outdated security patch that Equifax failed to update – it was simpler:

Equifax used the word ‘admin’ for the login and password of a database. After some guesswork, cyber information security firm Hold Security found personal employee information including names, emails, and Social Security equivalents.  Equifax quickly shuttered the website after the research was published.

If nothing else, we should learn from these mistakes.


Take steps to protect your own home or business with three simple practices when buying IoT devices:

  • Read reviews and check forums for published vulnerabilities.
  • Consider waiting for several generations instead of buying brand new, first-gen devices. Let someone else discover the problems.
  • Given that most IoT devices arrive with simple, factory-preset passwords, the single most important security measure to take with a new device is to change the password.


Hackers will choose the easy targets – so help defend your devices against attack by following these common password best practices:

  • Use complex passwords – not words that can be found in a dictionary.
  • Never use your network, wifi or device name as a password.
  • Never share your passwords with others or keep them in plain view.
  • Don’t use the same passwords across different devices or websites.
  • HIGHLY ENCOURAGED: useg a FREE password manager. These simple apps randomly generate tough-to-hack passwords for all devices and sites, and can even store credit card numbers and other personal info securely – without you needing to remember anything but one master password.


Learn more about keeping your information safe with our Cybersecurity Fundamentals online training. Stay ahead of the bots and the bad guys – do it today!