Developing a consumer security index for domestic IOT devices (CSI)

Research Summary

Internet enabled devices including smart televisions, security cameras and thermostats are now commonly found around the home. Devices such as these have enormous potential to transform society, but they also provide opportunities for crime.  For example, some devices (including ‘security’ cameras) lack basic password functionality or allow the use of default passwords, which can easily be guessed or even found on forums. Such vulnerabilities have been exploited to conduct Distributed Denial of Service (DDoS) attacks, which are used to make a website or online service unavailable. One such attack, which took place in 2016 knocked Twitter, Netflix and the Guardian Newspaper offline during the attack. Vulnerable internet enabled devices can also be targeted to steal personal information, including credit card details. 

While security should be designed into devices, there is little incentive for manufacturers to do so consistently. Moreover, at the point of purchase, consumers are not provided with simple information to help them assess the security of devices.  This differs to the traffic light system used for food products in supermarkets, or the energy efficiency ratings provided for many electronic goods. The aim of the proposed research is to develop a Consumer Security Index for domestic IoT devices, and encourage its use to incentivise manufacturers to improve IoT device security.

Policy briefing

A policy briefing document has been prepared for this project, entitled “How secure is consumer IoT?” The briefing is available by clicking here.

Lead investigator(s): 

Professor Shane Johnson

Research Assistant(s): 

Dr John Blythe 

For information about this project contact: Dr John Blythe j.blythe@ucl.ac.uk

Outputs:

• Johnson, S.D., Blythe, J.M., Manning, M., & Wong, G.T.W. (2020). The impact of IoT security labelling on consumer product choice and willingness to pay. PLoS ONE.
• Blythe, J.M., Sombatruang, N., & Johnson, S.D. (2019). What security features and crime prevention advice is communicated in consumer IoT device manuals and support pages? Journal of Cybersecurity, 5(1).
• Blythe, J.M., Johnson, S.D. (2019). A systematic review of crime facilitated by consumer Internet of Things. Security Journal.
• Blythe, J.M., & Johnson, S.D. (2018). The Consumer Security Index for IoT: A protocol for developing an index to improve consumer decision making and to incentivize greater security provision in IoT devices. IET Conference.
• Blythe, J.M., & Johnson, S.D. (2018). Rapid evidence assessment on labelling schemes and implications for consumer IoT security. DCMS: London.
• Blythe, J.M., Johnson, S.D., & Manning, M. (2019). What is security worth to consumers? Investigating willingness to pay for secure Internet of Things devices. Crime Science.