As we have written several times before on the Panda Security blog, many internet-connected devices are not as secure as they could be. Others collect and share personal data with third parties – and they don’t always tell you they are doing it.

Which is why Mozilla’s new *privacy not included report is of great interest. Security researchers have analysed several popular devices to assess how secure they are, and whether they can be trusted with personal data. These devices are sure to be popular gifts this Christmas, the list makes for very interesting reading.

Each device has been assessed on four key areas to measure whether
the device is “creepy” or not:

  • Can it spy on you? Does the owner have full control of camera, microphone and location data.
  • What does it know about you? Is data shared with third parties? Is it encrypted during transfer?
  • Can you control the device? Is it possible to change the password or delete data it collects?
  • Does the manufacturer care about the customer? Do they regularly update security provisions? What is their customer support like?

The assessment process is obviously more involved, but by passing all four tests, a devices earns Mozilla’s “Minimum Security Standards” award.

Smart speakers and games consoles score well

According to the report, smart speakers from all the major vendors (Amazon Echo, Google Home, Apple HomePod, Sonos One) score highly, with most being achieving the award. The same is true of the most popular games consoles – Nintendo Switch, Sony PlayStation 4 and Microsoft Xbox One.

Other connected devices didn’t do so well however. The Evo Robot toy may have camera, microphone and location data locked down – but it also shares personal data with third parties for no apparent reason. The ever-popular Nest Thermostat also falls short, failing the “can it spy on me” test.

The Mozilla report shows how difficult it is to make a properly secure internet-connected device – and how some manufacturers are twisting the rules to access information you may prefer to keep private.

What does it mean for you?

The *privacy not included report currently lists 74 devices, so it is far from complete. There is a very good chance that many of the devices you own have not been assessed. But the report is still useful.

When you next go to purchase a connected device, you can use the Mozilla tests to ensure it is more secure – and less creepy. Ask questions like:

  • Can I lock out access to camera, microphone and location data?
  • Can I change the default password on the device?
  • Does the device/app share data with third parties?
  • Is the device regularly updated to patch software bugs?
  • Can I delete the data collected and stored by the device?

By answering these questions you can choose a less creepy device and boost your personal data security.

To learn more about internet-connected devices and security, please take a look at the rest of the Panda Security blog.

Panda Cleanup