The ICO's Group Manager for Technology has written a blog raising awareness of the risk of webcams, CCTV, baby monitors and other IoT devices sending images and other information to cyber attackers. There was a Daily Mail headline on live streaming of baby monitors by a Russian website back in 2014. It seems that nothing much has changed since.

Our current thinking is that this area is crying out for rules on privacy by design and privacy by default. Yet, as the device manufacturers may never be a data controller, the new rules in the GDPR may not apply to them.

The ICO is working with manufacturers to improve the protections built into the devices. However, the public must also take steps to protect themselves. The 6 key steps are:

  1. Research the security of a product. For example, look to see if a product will be updated with security fixes. Apparently some smartphones never receive security fixes.
     
  2. Check if your router is secure. Default settings may allow access to your router over the internet. Even if there is a default password, lists of default passwords can easily be found on the internet. Without protection, your personal files could suddenly become available on popular search engines.

    This leads neatly on to…
     
  3. Change passwords and usernames from the default settings.
     
  4. Known security vulnerabilities. Check manufacturers' websites to see if there are any security updates for your devices, such as your router. The ICO does warn that updating a device can overwrite data and settings so check the manual and have a backup.
     
  5. Take your time. Basically read the manual, don’t just plug a device in!
     
  6. If there is a two-step identification option – use it. Currently few devices offer this. It often works by asking an additional security question or sending a code to you phone or email during the log in process.
     

How many of these steps do you currently take? Do you change default passwords? Maybe. How many of us routinely do any of the other steps? Perhaps it will take a few more scare stories until the public start taking IoT security more seriously. Perhaps the manufacturers will improve the default protections so we don’t need to.

You can read the ICO blog here.