Documents to download

Cyber Security of Consumer Devices Image

Key Points:

  • There is a growing UK market for internet-connected devices such as smart home appliances and home monitoring systems. These devices can provide economic and social benefits, but stakeholders have expressed concerns about the poor security of many devices.
  • The poor cyber security of these devices can lead to data loss, privacy infringements and risks to physical safety and security. Large-scale attacks involving many insecure devices have resulted in the widespread disruption of online services. Common targets include devices with default or common passwords, known software vulnerabilities, or software that is out-of-date.
  • A lack of economic incentives, fragmented industry standards, and some user behaviours contribute to poor cyber security.
  • Both manufacturers and consumers may lack incentives to invest in security features. The economic costs of large-scale cyber-attacks often fall on third parties, such as online service providers. Consumers may not have the information and technical expertise that is required to purchase and set-up devices securely.
  • The UK Government has produced a voluntary Code of Practice for the development, manufacturing and retail of connected consumer devices, which it may decide to enforce through regulation. The guidelines aim to encourage a “secure by design” approach, reducing the burden on consumers to ensure that their devices are secure. The Government is also considering a labelling scheme to help inform consumers.
  • Challenges to improving the cyber security of consumer devices include the complexity of supply chains, difficulties assessing security, and a shortage of cyber security expertise.
  • Among stakeholders, there is currently debate over the introduction of mandatory standards or labelling schemes for connected consumer devices, as well as the adequacy of product safety, liability and consumer rights laws.

Acknowledgements

POSTnotes are based on literature reviews and interviews with a range of stakeholders, and are externally peer reviewed. POST would like to thank interviewees and peer reviewers for kindly giving up their time during the preparation of this briefing, including:

  • Arm Ltd*
  • British Retail Consortium*
  • BSI Group*
  • Cyber Aware*
  • David Rogers, Copper Horse Ltd
  • Department for Digital, Culture, Media & Sport*
  • Department for Business, Energy & Industrial Strategy
  • Dr Greig Paul, University of Strathclyde
  • Dr John Blythe, University College London & CybSafe*
  • Dr Leonie Tanczer, University College London*
  • Dr Madeline Carr, Research Institute in Science of Cyber Security & University College London*
  • Dr Simon Parkin, University College London*
  • The European Consumer Organisation (BEUC)*
  • National Cyber Security Centre*
  • Ofcom*
  • Office for National Statistics*
  • Professor Andy Stanford-Clark, IBM*
  • Professor Carsten Maple, WMG’s Cyber Security Centre, University of Warwick*
  • Professor Jim Norton
  • Professor Martyn Thomas, Gresham College*
  • Professor Ross Anderson, Cambridge Cybercrime Centre, University of Cambridge*
  • Professor Shane Johnson, Dawes Centre for Future Crime, University College London
  • Royal Academy for Engineering*
  • techUK*

*Denotes those who acted as external reviewers of the briefing.


Documents to download

Related posts

  • The use of technology to perpetrate domestic abuse, referred to as tech abuse, has become increasingly common. Domestic abuse charity Refuge reported that in 2019, 72% of women accessing its services said that they had been subjected to technology-facilitated abuse. Common devices such as smartphones and tablets can be misused to stalk, harass, impersonate and threaten victims. Some groups have raised concerns that the growing use of internet-connected home devices (such as smart speakers) may provide perpetrators with a wider and more sophisticated range of tools to harm victims. How is technology being used to perpetrate domestic abuse, how can this be prevented and what role can technology play in supporting victims?

  • People’s behaviour has a major role in the success of test, trace and isolate programmes. Uncertainty about whether to report symptoms, low perceived risk of COVID-19 disease and concerns about the consequences of self-isolation are among the barriers to adherence. Has the Scientific Advisory Group for Emergencies looked at adherence to TTI? What evidence is there on people’s understanding and willingness to be tested, provide contact details and self-isolate? Is there anything that can be done to improve this?

  • Test, trace and isolate programmes across the UK are under pressure as COVID-19 cases rise in all age groups and demand for tests grows. Further pressure comes from people seeking tests because they have symptoms caused by other respiratory viruses but need a test in order to rule out COVID-19. The Scientific Advisory Group on Emergencies has described the impact of current test and tracing on the transmission of the virus as “marginal”. How does test and trace work and what are the current challenges limiting its effectiveness in reducing COVID-19 cases?