This study for the Internet Society assesses the state of security on consumer Internet of Things devices and the economic factors behind the weak security on many devices. It then draws upon these insights to offer policy recommendations for improving device security. Founded by the early pioneers of the Internet in 1992, the Internet Society is a global cause-driven organisation working for an open, globally-connected, secure, and trustworthy Internet for everyone. With members, chapters and offices around the world, the Internet Society engages in a wide spectrum of Internet issues – including policy, governance, technology and development – to address the challenges facing the Internet today and to shape its tomorrow. The authors are grateful for the research inputs contributed by the Internet Society, and for its input in reviewing the report.
Adding connectivity to physical devices can significantly enhance their usefulness: for instance, it can allow remote operation or monitoring of the device, improve user convenience, or increase energy efficiency. As a result, the number of connected devices has grown extremely rapidly.
This growth has been accompanied by increasing concerns about cybersecurity and privacy, and nowhere is this more true than in the consumer IoT segment. This segment – consisting of connected devices intended for personal or residential use, such as smart TVs, connected appliances, and home automation devices – accounts for an estimated 63% of the total installed base of connected devices, and is growing quickly.
However, security is often lacking in consumer IoT devices: an analysis of 10 of the most common types of consumer devices – including smart TVs, home thermostats, and connected power outlets, door locks and home alarms – found that 70% contained serious vulnerabilities.
There are a number of technical factors that make consumer IoT devices and services vulnerable to attack. Ultimately, however, weak IoT security has its roots in economic factors rather than technical ones. These include asymmetric information, misaligned incentives and externalities. These factors mean that both manufacturers and consumers are likely to under-invest in effective security measures.
To improve the state of security of consumer IoT devices and services, action will need to be taken to address and compensate for these factors. This report discusses the economic factors and suggests a set of potential actions for market stakeholders to take to address the factors and drive improvements in device security.
This report is available as a free download from this website.