Thanks to the evolution in technology, devices and protocols, the temperature settings in your smart fridge can be controlled remotely. And your voice assistant can tell you the weather, or what plans are in your calendar a week from now. The interoperability between smart devices that protocols such as Matter and Thread are enabling are fuelling a growth in the market, but the rise in the number of devices consumers use has presented a wider attack surface, and both manufacturers and consumer IoT need to be conscious of security.
A report undertaken by Utimaco working with YouGov showed that 14% of respondents considered smart devices to be secure despite the fact that 38% use them, showing that there needs to be better communication around security, and that only 24% could define what IoT meant – meaning there is also a greater need for education.
Privacy risks for consumers
The growth of the consumer IoT market can be attributed to affordability of devices; advancements in wireless technology; and the desire to have a smart home that offers convenience and accessibility. According to figures provided by Statista, the market is expected to reach $209.9 billion in revenue by 2024 and is expected to reach $357.8 billion by 2029.
Smart speakers, home security systems, and health monitoring devices are just a few examples of the applications that have gained widespread popularity.
One of the most pressing concerns surrounding consumer IoT devices is data privacy. These devices often collect and transmit vast amounts of personal data, ranging from simple usage patterns to sensitive health information. The collection, storage, and use of this data raise several privacy concerns.
Firstly, there is the risk of unauthorised access to personal data. Smart devices are frequently targeted by cybercriminals seeking to exploit vulnerabilities in the software or hardware. Once breached, attackers can gain access to personal information, running risks such as identity theft or unauthorised surveillance.
Secondly, the lack of transparency in data handling practices is a significant concern. Many consumers are unaware of the extent to which their data is being collected, stored, and shared with third parties. This lack of transparency can lead to the misuse of personal information for purposes beyond the original intent, such as targeted advertising or selling data to other companies without explicit consent.
Finally, the issue of data retention and deletion is often overlooked. Consumers may not be informed about how long their data is stored or how to delete it permanently. This can result to personal information remaining in servers long after it is needed and in doing so, increases the risk of data breaches over time.
Security risks for consumers
In addition to privacy, the security of consumer IoT devices remains a major concern. Several features can contribute to vulnerabilities in IoT devices, including failure to have robust security; no standardised security protocols and lack of regularly updating software.
Firstly, many IoT devices are designed with convenience and cost-effectiveness in mind, which can often be at the expense of robust security measures. This can result in devices being shipped with default passwords, unpatched software, or inadequate encryption, making them easy targets for attackers.
Secondly, the large number of devices and the varied manufacturers making these devices complicates the security landscape. With no standardised security protocols across different devices, it becomes challenging to ensure consistent and effective protection. Some manufacturers may prioritise security, while others may cut corners to reduce costs. The PSTI Act looks to address this.
Thirdly, and finally, the lack of regular software updates poses a significant risk. IoT devices often have long lifespans, but their software may not be updated as frequently as necessary to address emerging security threats. This leaves devices vulnerable to new forms of attacks.
How can manufacturers address device security?
The landmark passing of the PSTI Act represented a significant step towards ensuring device security, by putting device manufacturers’ obligations into law, as well as an awareness that data has become increasingly valuable and consumers’ smart devices are vulnerable. The PSTI Act requires device manufacturers to make passwords more secure, provide clarity around reporting bugs or security issues and inform customers on how long they will receive security support for.
In an interview with Kamran Jehangir, Technical Consultant at Eseye, he highlighted an “increase in IoT devices coming onto the UK market being sold on various platforms worldwide,” which he explained varied in how informative they are about securing the device. Some devices come with instructions on setting up a smart device like a doorbell, otherwise are less transparent. Jehangir said this was “a massive concern”.
He also expressed concern about a slow uptake on the Act, which he said could be attributed to not enough information being sent out to manufacturers, “which is why we’re [Eseye] trying to fill that gap,” he said.
In a contributed piece to IoT Insider, David Corlette, VP Product Management at VIPRE Security Group wrote: “If we have learned anything over the years it’s that cybercriminals are dogged in their drive to exploit – every device is a target, and if a security gap is found it will be ruthlessly exploited unless, of course, the manufacturer patches the hole promptly.”
He wrote about fundamental design concepts worth considering for manufacturers to ensure compliance with PSTI Act requirements, including keeping it simple; adopting network segmentation; securing external interfaces; empowering user choice and minimising data collection. “Only collect the minimal personal information that is absolutely necessary for the proper functioning of the device,” he wrote.
How can consumers address device security?
For consumers, being aware of the risks they run in failing to properly secure smart home devices is one step towards understanding why robust security is so important.
Simple steps such as regularly updating devices, changing their default passwords and being mindful of permissions can go a long way. If consumers would like to be more informed, researching data handling practices or manufacturers’ device security can help to inform the smart home devices they purchase.
Closing thoughts
Having a smart fridge that remotely monitors temperatures and a voice assistant that can recite to you your calendar is hugely enticing, particularly for the average person who wants ease of use and convenience. But the security elements cannot be forgotten about, especially as the number of devices grow.
Failing to properly secure these devices, both at a manufacturing and consumer level, can lead to some serious fallout. Collaboration within the IoT industry is essential to creating secure and trustworthy devices and ecosystems.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.