The Grinch 2.0

In this article ITC’s Kevin Whelan, CTO and author of Threat of the Week, conveys a very seasonal warning.

Everyone Goo

Down in Google-ville

Liked Christmas a lot

Previously the Grinch (2.0, recently released) did not


However, during his time inside

The Grinch saw the changes and made up his mind

It was no longer required to break into houses

And physically steal the parcels and sweets

Let alone carry them back to the mountain retreat


It transpires the Goos had done something silly

And instead of going shopping whilst chilly

Had purchased their gifts for family and friends

On online portals for next day delivery


As well as sharing all of their data

The Goos gifted products were totally connected

To the unregulated cloud and the Internet Of Things

Turns out, they were not protected


So rather than burgle everyone’s houses

The Grinch and his friends just sat there with mouses

Taking advantage of default settings and more besides

To exfiltrate data and take the Goos for a ride.


(With apologies to the good Dr Seuss)


Christmas time is a very opportunistic time for the criminal fraternity. From card scams on busy high streets on ‘Black Friday’, seemingly now extended to ‘Black Friday onwards’ to fraudulent online sites robbing people on ‘Cyber Monday’, the Christmas purchasing rush is the very sort of chaos and confusion that can be exploited by criminal gangs, many of whom have been planning their moves for eleven months or more.

When you consider that so many gifts this year will be ‘connected’, as in ‘to the ‘Internet’, from kids toys such as dolls, remote control Star Wars toys, fitness wearables, and for the soon to be divorced ‘giver’, thermostatic, lighting or at the far end of the spectrum, antenna controlling hardware, it should be a very real concern that there is no regulation about the default security settings of any of this.

Come Christmas morning, little Johnny will need to have his ‘insert any new toy or game here’ connected to the house WiFi and will be fighting with little sister Jane, setting up her online Ouija board, for the attention of hung-over parents stressed out about the in-laws arrival and the fact they forgot to collect the Turkey.

The fact that all of these devices call home (China mostly), that nobody is sure what data they share to whom and that the default passwords can be abused very easily is a very big worry.

Imagine. You can connect to your fridge from your phone and Jane can do Ouija from the pub as you hide from your family with very few configuration steps.

And all the time, Alexa, Siri and the mind bogglingly annoying Bixby are probably listening.

Be careful about connecting stuff to your home network, even if you have a massive hangover and can’t deal with the fight. Always change the default passwords.

Avoid Grinch 2.0

Happy Christmas.