Holiday shoppers beware, consumer advocates are warning: Danger lurks in U.S. toy aisles, where dolls and robots can be used as spies and unlabeled potential choking hazards are disguised as "Disney Princess Punchball Balloons." "My Friend Cayla," a popular talking doll, uses a hidden microphone and an unsecured Bluetooth connection that can allow anyone within range to spy on your family and talk back to your child, said Kara Cook-Schultz, one of the authors of the U.S. Public Interest Research Group's annual "Trouble in Toyland" report.

"If you are an adult and have decided to share data with an internet-connected device, fine. But if you're a child, you probably have no idea that this doll that you think of as a friend can be used to spy on you," she said.

German authorities banned the Cayla doll in February, saying it violates Germany's privacy laws. Last summer, the FBI also issued a consumer warning about Internet-connected devices, saying that toys containing sensors, microphones, cameras, data storage and other multi-media capabilities could put the privacy and safety of children at risk because of the large amount of personal information that your children — and you, when you're in earshot of the device — might unwittingly disclose.

And Cayla isn't the only culprit.

The Mozilla Foundation, a non-profit aimed at fostering a free and functioning Internet, issued a report Tuesday that cited several other toys with identical Bluetooth risks — "Dash the Robot" and "BB-8 by Sphere," a Star Wars themed toy. Both Bluetooth-enabled devices could allow everyone from neighbors to the person sitting next to you at the park purposefully (or inadvertently) connect to the toys, listen to your kids' conversations and even talk back to them.

Worse, says Mozilla Foundation's vice president of advocacy, Ashley Boyd, is that these devices store all the personal information they've gathered. Yet it's not clear whether the data is stored in the device, in the "cloud" or elsewhere, nor is it clear how this data is secured.

"There isn't a lot of transparency," Boyd said. "As parents, we should know where the data is stored and whether it could be shared with others."

"Adidas miCoach" soccer ball poses even greater privacy risks, according to the Mozilla report. The ball has a camera, microphone and location tracker, but no privacy controls. Consumrs are also invited to create an account to use the game system, which could reveal more of their information.

"Privacy has really emerged as a theme with all of these Internet-connected devices," Boyd said.

Cheers to a cybersecure holiday season! Cyber Monday 2017 is expectedto be the biggest shopping day in U.S. history. According to a Pew Research Center survey, Americans use a wide range of digital tools and platforms to shop, and roughly 80 percent of adults purchase products online. Mobile has taken over holiday gift giving: last year, half of website visits and 30 percent of online sales were conducted via mobile devices. Gift givers are going mobile to conveniently compare products, read reviews and make purchasing decisions while out and about. Technology also ranks high on shopping lists – from new laptops and gaming systems to tablets, the latest phones and Internet of Things (IoT) devices like video cameras, toys and appliances.

Whether you are giving the gift of connectivity or using it yourself, don’t let hackers mess with the merriment. The National Cyber Security Alliance (NCSA) reminds everyone that all devices connected to the internet – including mobile and IoT – must be protected. And young people receiving technology for the first time need to understand how to use it safely and securely. In addition, older adults must make it their mission to continue to learn about and practice good cyber hygiene.

“All tech users – especially vulnerable audiences like teens and seniors – need to take responsibility and protect themselves against cyber threats, scams and identity theft – not only during prime shopping time, but every day,” said Michael Kaiser, NCSA’s executive director. “In past years, we have seen that scammers, hackers and cybercriminals are actively on the prowl during the holidays. Stay alert for phishing emails, deals that look to good to be true and warnings about packages that can’t be delivered or orders that have problems. Continually learn about and always initiate basic safety and security practices, and you will connect with more peace of mind during the holidays and year-round.”

GET READY TO CYBER SHOP SAFELY:

KEEP CLEAN MACHINES: Before searching for that perfect gift, be sure that all web-connected devices ‒ including PCs, smartphones and tablets ‒ are free from malware and infections by running only the most current versions of software and apps. LOCK DOWN YOUR LOGIN: One of the most critical things you can do in preparation for the online shopping season is to fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media. CONDUCT RESEARCH: When using a new website for your holiday purchases, read reviews and see if other customers have had positive or negative experiences with the site. WHEN IN DOUBT, THROW IT OUT: Links in emails, social media posts and text messages are often how cybercriminals try to steal your information or infect your devices. PERSONAL INFORMATION IS LIKE MONEY. VALUE IT. PROTECT IT: When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Make sure you think it is necessary for the vendor to request that information. Remember that you only need to fill out required fields at checkout.

NAVIGATING THE DIGITAL MARKETPLACE WHILE ON THE GO:

GET SAVVY ABOUT WI-FI HOTSPOTS: If you are out and about, limit the type of business you conduct over open public Wi-Fi connections, including logging in to key accounts such as email and banking. Adjust the security settings on your phone to limit who can access your device. SECURE YOUR DEVICES: Use strong passwords or touch ID features to lock your devices. These security measures can help protect your information if your devices are lost or stolen and keep prying eyes out. THINK BEFORE YOU APP: Information about you, such as the games you like to play, your contacts list, where you shop and your location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps. NOW YOU SEE ME, NOW YOU DON’T: Some stores and other locations look for devices with Wi-Fi or Bluetooth turned on to track your movements while you are within range. Disable Wi-Fi and Bluetooth when they’re not in use.

Future of Privacy Forum (FPF) released a new infographic: Microphones & the Internet of Things: Understanding Uses of Audio Sensors in Connected Devices (read the press release here). From Amazon Echos to smart TVs, we are seeing more home devices integrate microphones, often to provide a voice user interface powered by cloud-based speech recognition. Last year, we wrote about the “voice first revolution” in a paper entitled “Always On: Privacy Implications of Microphone-Enabled Devices.” This paper created early distinctions between different types of consumer devices and provided initial best practices for companies to design their devices and policies in a way that builds trust and understanding. Since then, microphones in home devices — and increasingly, in city sensors and other out-of-home systems — have continued to generate privacy concerns. This has been particularly notable in the world of children’s toys, where the sensitivity of the underlying data invites heightened scrutiny (leading the Federal Trade Commission to update to its guidance and clarify that the Children’s Online Privacy Protection Act applies to data collected from toys). Meanwhile, voice-first user interfaces are becoming more ubiquitous and may one day represent the “normal,” default method of interacting with many online services and connected devices, from our cars to our home security systems.

As policymakers consider the existing legal protections and future direction for the Internet of Things, it’s important to first understand the wide range of ways that these devices can operate. In this infographic, we propose that regulators and advocates thinking about microphone-enabled devices should be asking three questions: (1) how the device is activated; (2) what kind of data is transmitted; and, on the basis of those two questions, (3) what are the legal protections that may already be in place (or not yet in place).

#1. ACTIVATION

In this section, we distinguish between Manual, Always Ready (i.e., speech-activated), and Always On devices. Always Ready devices often have familiar “wake phrases” (e.g. “Hey Siri,”). Careful readers will notice that the term “Always Ready” applies broadly to devices that buffer and re-record locally (e.g., for Amazon Echo it is roughly every 1-3 seconds), and transmit data when they detect a sound pattern. Sometimes that pattern is a specific phrase (“Alexa”), but it can sometimes be customizable (e.g. Moto Voice let’s you record your own launch phrase) and sometimes it need not be a phrase at all — for example, a home security camera might begin recording when it detects any noise. Overall, Always Ready devices have serious benefits and (if designed with the right safeguards) can be more privacy protective than devices designed to be on and running 100% of the time.

#2 – DATA TRANSMITTED

In this section, we demonstrate the variety of data that can be transmitted via microphones. If a device is designed to enable speech-to-text translation, for example, it will probably need to transmit data from within the normal range of human hearing — which, depending on the sensitivity, might include background noises like traffic or dogs barking. Other devices might be designed to detect sound in specialized ranges, and still others might not require audio to be transmitted at all. With the help of efficient local processing, we may begin to see more devices that operate 100% locally and only transmit data about what they detect. For example, a city sensor might alert law enforcement when a “gunshot” pattern is detected.

#3 – WHAT ARE THE EXISTING LEGAL PROTECTIONS?

In this section, we identify the federal and state laws in the United States that may be leveraged to protect consumers from unexpected or unfair collection of data using microphones. Although not all laws will apply in all cases, it’s important to note that certain sectoral laws (e.g. HIPAA) are likely to apply regardless of whether the same kind of data is collected through writing or through voice. In other instances, the broad terms of state anti-surveillance statutes and privacy torts may be broadly applicable. Finally, we outline a few considerations for companies seeking to innovate, noting that privacy safeguards must be two-fold: technical and policy-driven.

Download the full infographic here.

Source: FPF.org

Doctors — particularly the ones that work in emergency rooms — need to have strong stomachs and level heads, since they see illness and injury at their most serious. Violence, accidents and serious diseases are all a matter of routine in the ER.

Dr. Christian Dameff is a faculty member at UC San Diego’s medical school, has seen all of that and more, since he’s also a white-hat hacker and expert in medical IoT security. He warned the audience on Thursday at the Security of Things USA convention in San Diego that the state of that security is, frankly, alarming.

Technology is a central underpinning of all modern medical treatment, according to Dameff. Many younger doctors have never worked with paper charts, or written paper prescriptions, or looked at x-rays on a lightbox – it’s all digital.

“Software powers modern healthcare. It is as essential as antibiotics, x-rays and surgery combined.” he said. “Without our technical systems, doctors today are essentially helpless for taking care of strokes, heart attacks and traumas.”

There are two central issues, according to Dameff. Part of the problem is that the emphasis on security discussions in the medical field focus heavily on data security, mostly for regulatory reasons.

“When we talk about information security in healthcare, we talk about the HIPAA hammer,” he said, “because the fear of a HIPAA fine, and the fact that we have hundreds of data breaches every single year, has made this the focal point of your conversation.”

But a bigger issue is that the connected devices used to automate and speed up the tasks of care required by modern medicine are cripplingly, astonishingly vulnerable to compromise by outside agents.

The problem has existed for a long time, Dameff said, but the 2011 story of Jay Radcliffe, a diabetic security expert who discovered that a connected insulin pump he used was trivially easy to hack, helped bring the scale of the problem to the public’s attention.

“What surrounds the patient are dozens of wirelessly connected devices that are running legacy operating systems, that are unpatched, that have hard-coded credentials you can Google – that are controlling potent medications being infused into this patient that, if miscalculated or altered, can cause this patient to die. That is the state of modern healthcare IoT. We need to change it.”

Device makers need to work with doctors directly, Dameff argued, in order to usher in a newly holistic approach to the creation of medical IoT gear.

“Have them help you identify points of your product that, if it should fail, would result in patient harm, not just a compromise of their medical health information,” he said.”

Hacked hospitals

Nor are connected devices the only way that poor security affects hospitals. Aging, unpatched IT systems are vulnerable to a huge array of known hacks, and notorious attacks like WannaCry can knock whole systems full of hospitals with custom hardware offline.

For the everyday user, this is a headache, but for a healthcare provider, it’s a much more serious issue. Ransomware and denial of service kill people, Dameff stated, by inches – when the hospital’s systems are down, it hinders urgent care, so patients suffering from heart attacks or strokes have their treatment delayed by crucial minutes or even hours. That can mean permanent disability or death.

“We can’t take care of stroke patients without functioning CT scanners. We just can’t,” he said.

Worried you or a loved one could be fooled by a scammer? Seniors are increasingly being targeted by online scams that drain their bank accounts and threaten their futures. Here’s what you need to know to protect your family.

Why Do Scams Target Senior Citizens?

Seniors are popular targets for con artists for several reasons. For one, seniors are more likely to have nest eggs than their younger counterparts, according to the FBI. Moreover, since today’s elderly didn’t grow up with the internet, they’re less web-savvy and may be more likely to trust people online. Some scams also prey on seniors’ love for family members, and since many older adults live separate from extended family, they may not immediately recognize scammers’ stories as false.

Internet Security Scams

According to a report by the U.S. Senate Committee on Aging, a common ploy is for fake tech support employees to contact seniors about virus-riddled computers. After gaining a senior’s trust, a scammer asks for remote access to their computer so they can fix the problem. The scammer may then demand money to fix the invented problem or install spyware, malware or ransomware onto the senior’s computer. This type of scam is so common that, in a survey, 15 percent of people reported receiving a similar call, and 80 percent of people who fell for the scam lost money.

A few simple rules can help protect seniors from this crime: If you need tech support, contact the company directly using information from the company website or product packaging. Don’t give credit card information if someone calls claiming to be from tech support. If someone pressures you to provide credit card information or computer access over the phone, hang up.

Romance Scams

Americans lost more than $230 million to romance scams in 2016 alone, making this growing scam a major threat to seniors’ financial security. This ploy victimizes older women who are widowed and divorced. Typically, a scammer poses as an eligible bachelor on dating sites or social networks and forges an intimate connection before asking for money. Since the request comes after a relationship has been formed and is accompanied by a sympathetic backstory, victims willingly give money with the belief they’re helping a loved one in need. Only after they’ve lost thousands, if not tens of thousands of dollars, do they realize they’ve been swindled. Unfortunately, by then the scammer and the money are long gone.

Avoiding this scam doesn’t have to mean swearing off online dating, but seniors should be cautious of people they meet online, especially if they can’t verify their existence in person. Reverse image search profile photos to see if they’re stolen, ask to meet in person before advancing a relationship and never send money to anyone you don’t know personally, no matter how strong of a connection you feel.

Counterfeit Check Scams

While counterfeit check scams don’t happen entirely online, they often start there. Seniors who buy or sell items online are most vulnerable to this tactic, but anyone with an email address or social media account can be targeted. In one version, seniors receive a message that they’ve won a foreign lottery. In the other, a message to buy something the senior is selling on Craigslist or another online marketplace. In both manifestations, the check received is worth more than it should be and the victim is told to remit taxes and fees or wire back the overpayment. By the time the cashier’s check is detected as fake, the senior has sent their own money to the scammer.

Stay away from this scam by never accepting overpayment for an item you’re selling and never sending money by wire transfer. When buying and selling goods online, online payment serviceslike PayPal are a safer choice. Never pay for a prize or gift that is supposed to be free and be suspicious of winning any lottery or drawing you don’t recall entering.

For young, tech-savvy adults, spotting scams may not be too challenging; however, seniors may have a harder time detecting predatory behavior online. Share this information with the seniors in your life so they can watch out for harmful scams.