Cyber Security of Consumer Devices

Key Points:

• There is a growing UK market for internet-connected devices such as smart home appliances and home monitoring systems. These devices can provide economic and social benefits, but stakeholders have expressed concerns about the poor security of many devices.
• The poor cyber security of these devices can lead to data loss, privacy infringements and risks to physical safety and security. Large-scale attacks involving many insecure devices have resulted in the widespread disruption of online services. Common targets include devices with default or common passwords, known software vulnerabilities, or software that is out-of-date.
• A lack of economic incentives, fragmented industry standards, and some user behaviours contribute to poor cyber security.
• Both manufacturers and consumers may lack incentives to invest in security features. The economic costs of large-scale cyber-attacks often fall on third parties, such as online service providers. Consumers may not have the information and technical expertise that is required to purchase and set-up devices securely.
• The UK Government has produced a voluntary Code of Practice for the development, manufacturing and retail of connected consumer devices, which it may decide to enforce through regulation. The guidelines aim to encourage a “secure by design” approach, reducing the burden on consumers to ensure that their devices are secure. The Government is also considering a labelling scheme to help inform consumers.
• Challenges to improving the cyber security of consumer devices include the complexity of supply chains, difficulties assessing security, and a shortage of cyber security expertise.
• Among stakeholders, there is currently debate over the introduction of mandatory standards or labelling schemes for connected consumer devices, as well as the adequacy of product safety, liability and consumer rights laws.

Acknowledgements

POSTnotes are based on literature reviews and interviews with a range of stakeholders, and are externally peer reviewed. POST would like to thank interviewees and peer reviewers for kindly giving up their time during the preparation of this briefing, including:

• Arm Ltd*
• British Retail Consortium*
• BSI Group*
• Cyber Aware*
• David Rogers, Copper Horse Ltd
• Department for Digital, Culture, Media & Sport*
• Department for Business, Energy & Industrial Strategy
• Dr Greig Paul, University of Strathclyde
• Dr John Blythe, University College London & CybSafe*
• Dr Leonie Tanczer, University College London*
• Dr Madeline Carr, Research Institute in Science of Cyber Security & University College London*
• Dr Simon Parkin, University College London*
• The European Consumer Organisation (BEUC)*
• National Cyber Security Centre*
• Ofcom*
• Office for National Statistics*
• Professor Andy Stanford-Clark, IBM*
• Professor Carsten Maple, WMG’s Cyber Security Centre, University of Warwick*
• Professor Jim Norton
• Professor Martyn Thomas, Gresham College*
• Professor Ross Anderson, Cambridge Cybercrime Centre, University of Cambridge*
• Professor Shane Johnson, Dawes Centre for Future Crime, University College London
• Royal Academy for Engineering*
• techUK*

*Denotes those who acted as external reviewers of the briefing.