Weaknesses in the cyber security of internet-connected consumer devices can undermine the privacy and safety of individual users and can be used for large-scale cyber-attacks. This briefing looks at the cyber threats associated with consumer devices and their causes, as well as initiatives to improve device security, and the related challenges.
There is a growing UK market for internet-connected devices such as smart home appliances and home monitoring systems. These devices can provide economic and social benefits, but stakeholders have expressed concerns about the poor security of many devices.
The poor cyber security of these devices can lead to data loss, privacy infringements and risks to physical safety and security. Large-scale attacks involving many insecure devices have resulted in the widespread disruption of online services. Common targets include devices with default or common passwords, known software vulnerabilities, or software that is out-of-date.
A lack of economic incentives, fragmented industry standards, and some user behaviours contribute to poor cyber security.
Both manufacturers and consumers may lack incentives to invest in security features. The economic costs of large-scale cyber-attacks often fall on third parties, such as online service providers. Consumers may not have the information and technical expertise that is required to purchase and set-up devices securely.
The UK Government has produced a voluntary Code of Practice for the development, manufacturing and retail of connected consumer devices, which it may decide to enforce through regulation. The guidelines aim to encourage a “secure by design” approach, reducing the burden on consumers to ensure that their devices are secure. The Government is also considering a labelling scheme to help inform consumers.
Challenges to improving the cyber security of consumer devices include the complexity of supply chains, difficulties assessing security, and a shortage of cyber security expertise.
Among stakeholders, there is currently debate over the introduction of mandatory standards or labelling schemes for connected consumer devices, as well as the adequacy of product safety, liability and consumer rights laws.