UCL Jill Dando Institute of Security and Crime Science


Developing a consumer security index for domestic IOT devices (CSI)

17 January 2019

Research Summary

Internet enabled devices including smart televisions, security cameras and thermostats are now commonly found around the home. Devices such as these have enormous potential to transform society, but they also provide opportunities for crime.  For example, some devices (including ‘security’ cameras) lack basic password functionality or allow the use of default passwords, which can easily be guessed or even found on forums. Such vulnerabilities have been exploited to conduct Distributed Denial of Service (DDoS) attacks, which are used to make a website or online service unavailable. One such attack, which took place in 2016 knocked Twitter, Netflix and the Guardian Newspaper offline during the attack. Vulnerable internet enabled devices can also be targeted to steal personal information, including credit card details. 

While security should be designed into devices, there is little incentive for manufacturers to do so consistently. Moreover, at the point of purchase, consumers are not provided with simple information to help them assess the security of devices.  This differs to the traffic light system used for food products in supermarkets, or the energy efficiency ratings provided for many electronic goods. The aim of the proposed research is to develop a Consumer Security Index for domestic IoT devices, and encourage its use to incentivise manufacturers to improve IoT device security.

Lead investigator(s): 

Professor Shane Johnson

Research Assistant(s): 

Dr John Blythe 

For information about this project contact: Dr John Blythe j.blythe@ucl.ac.uk


Rapid evidence assessment on labelling schemes and implications for consumer IOT security

This document can be found on the GOV.UK website as part of the Government's Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers, with guidance for consumers on smart devices at home: Secure by Design