What_security_features_and_cri
Blythe, J. M., Sombatruang, N., & Johnson, S. D. (2019). What security features and crime prevention advice is communicated in consumer IoT device manuals and support pages? Journal of Cybersecurity, 5(1). https://doi.org/10.1093/cybsec/tyz005
Abstract:
Through the enhanced connectivity of physical devices, the Internet of Things (loT) brings improved efficiency to the lives of consumers when on-the-go and in the home. However, it also introduces new potential security threats and risks. These include threats that range from the direct hacking of devices that could undermine the security, privacy and safety of its users, to the enslaving of loT devices to commit cybercrime at scale, such as Denial of Service attacks. The loT is recognized as being widely insecure, in large part, due to the lack of security features built into devices. Additionally, consumers do not always actively use security features when available. More disconcerting is that we lack market surveillance on whether manufacturers ship products with good security features or how the importance of user-controlled security features is explained to loT users. Our study seeks to address this gap. To do this, we compiled a database of 270 consumer loT devices produced by 220 different manufacturers on sale at the time of the study. The user manuals and associated support pages for these devices were then analyzed to provide a ‘consumer eye’ view of the security features they provide and the cyber hygiene advice that is communicated to users. The security features identified were then mapped to the UK Government’s Secure by Design Code of Practice for loT devices to examine the extent to which devices currently on the market appear to conform to it. Our findings suggest that manufacturers provide too little publicly available information about the security features of their devices, which makes market surveillance challenging and provides consumers with little information about the security of devices prior to their purchase. On average, there was discussion of around four security features, with account management and software updates being the most frequently mentioned. Advice to consumers on cyber hygiene was rarely provided. Finally, we found a lack of standardization in the communication of security-related information for loT devices among our sample. We argue for government intervention in this space to provide assurances around device security, whether this is provided in a centralized or decentralized manner.
I reviewed a peer reviewed article concerning the security of IoT devices in reference to what information the hardware manufactures provided to their customers. The study was not experimental in nature as there were no control variables defined in their reporting. The study was just looking to examine available materials for many classes of consumer IoT devices from various manufactures in an effort to determine what security related information was provided to the consumers to inform them of the risk in using the IoT device as well as any steps that should be taken to harden one’s security when using the product.
The research output for this study was quantitative in nature. All of the details gathered for the observations and the subsequent results provided were numerical. The results demonstrated concern surrounding industry shortcoming in regards to consumer safety and education.
The population being studied was all consumer grade IoT devices available at the time of writing, which was March of 2019. The sample was derived from an independent database of know IoT devices in multiple device sectors. All 270 devices included as part of the study were from “major manufactures” that were available at major retailers across the country. Due to this limitation, there was a noted bias spoken about regarding devices manufactured from smaller developers and distributed though sources outside of major UK retailers, such as eBay or Amazon. It was unknown if the information derived from this study could be generalized for these outlier devices.
The method of measurement scale for the provided quantitative research was Ratio. The team identified device documentation that aligned with the government’s thirteen secure by design Code of Practice (CoP) principals. Once they had read the manuals for the devices, and any other supporting documentation, they were able to identify which devices, if any, contained information or guidance to the consumer.
The conclusions of the study found that manuals and support pages did not provide enough information to consumers in relation to the device’s security features. They also noted that recommendations for cyber hygiene were not frequently discussed. This led to their conclusion that IoT device manuals and support documentation should be standardized. The next logical step that I see in extending this research is to perform the same study now, 3 years after this initial publication, in an effort to determine if documentation that accompanies IoT devices are now addressing more cyber security concerns. Also, devices from smaller manufacturers should be included in some fashion in an effort to gain an initial understanding of whether the quality of their documentation aligns with large manufacturers.
The study subject and subsequent findings are relevant to me and my field of study as Cybersecurity is my major focus. With the ever-present challenges of device security on the forefront of the industries mind, it is increasingly important that consumers understand what their device’s vulnerabilities are and how to mitigate their risk. Even warnings like setting a new complex password on their devices or knowing that keeping the devices patched to the most recent stable firmware release can help avert their new IoT devices from becoming compromised. As it was alluded to in the study findings, a degree of responsibility in keeping consumers educated concerning their risk is the responsibility of the manufacture.