Privacy advice for smart homes, manufacturers putting malware on Android phones and why is Google still tracking you?
Welcome to Cyber Security Today. It’s Wednesday August 15th. To hear the podcast click on the arrow below:
So-called smart homes with Internet-connected voice assistants like Amazon Alexa or Google Home and linked to a variety of home appliances are hip. But they also can be security and privacy risks. I had a chat this week about the problem with Tony Anscombe, global security evangelist for the security firm ESET about the problems. He was in Toronto on the weekend for the Rogers Cup tennis tournament, where ESET is co-sponsor, and offered a number of tips listeners can take to reduce risks. First, before you buy a connected product search on the Internet to see if it has reported security problems. These would include whether it’s been hacked, the inability to update software or firmware, and whether it comes with a password that can’t be changed. Second, you don’t have to connect all devices to your assistant. That’s because it may store interactions with you that include personal information. So, Anscombe said, connecting your house to a thermostat or lights may be OK, but not to a digital weighing scale. Third, if the device does collect data – for example to your Amazon account – it should be regularly deleted. Fourth, make sure your home assistant is turned off when you’re not at home, or when you’re asleep. Finally, make sure you change default password or passphrase to your voice assistant.
Own an Android phone or looking for a new one? Make sure it’s been scrubbed of pre-installed apps and firmware. That’s the conclusion one gets after reading an investigation by a security firm called Kryptowire into 25 Android handsets sold by carriers in the U.S. Some of these apps can access your device logs, reset the handset so data is wiped, read and modify your text messages, send arbitrary text messages and copy phone numbers of your contact list. Many of these apps were installed by the manufacturer and may be impossible to delete. Some devices have big names like Sony and Asus. Many of these apps do their work without needing the owners’ permission. But permissions are supposed to be an Android app requirement. According to The Hacker News, Google and device makers have been warned. Some patches have been issued, which is great if you have a newer device able to get patches. If not, make sure you regularly review what apps are on your device and delete what you don’t need. And think about installing mobile malware protection.
Speaking of permissions, I’ll bet you think that when you tell Google services on an Android or Apple device to stop tracking your location it obeys. Nope. According to an investigation by the Associated Press many Google services on Android and iPhone devices store records of your location data even when you have paused “Location History” on your mobile device. The trick is you’re only allowed to pause recording your location history. Some Google apps automatically store time-stamped location data without asking. For example, Google stores a snapshot of where you are when you merely open its Maps app. Have you turned on automatic daily weather updates? It records roughly where you are. Understandable if you want local weather, but you may not have thought your city location is now recorded. And some Google searches that have nothing to do with location may store your precise latitude and longitude. To stop Google from saving these location markers you need to turn off a setting called “Web and App Activity.” Go to myactivity.google.com, select “Activity Controls” from the upper left drop-down menu, and now turn off both “Web & App Activity” and “Location History.”
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening. I’m Howard Solomon.