Infosec professionals, consumer advocates and the media frequently sound the alarm about the proliferation of Internet of Things (IoT) devices. Many of these devices have known vulnerabilities and do little to protect user data.
And yet, when a person purchases an IoT device, privacy and security are likely afterthoughts, according to a new study from Carnegie Mellon University’s CyLab. One of the authors is CyLab director Lorrie Cranor, who co-founded Wombat Security Technologies, now Proofpoint Security Awareness Training.
The research paper is titled, “Exploring How Privacy and Security Factor into IoT Device Purchase Behavior.” The study highlights findings of interviews with 24 IoT device buyers.
IoT Buyers’ Remorse
The study found that about half of the purchasers—a group representing both technical and non-technical backgrounds—had “limited and often incorrect knowledge about privacy and security.” This lack of knowledge impacted their ability to make informed decisions, according to the authors.
“Most of the participants did not consider privacy and security when making their purchase, but had privacy and security related concerns after the purchase,” said researcher Pardis Emami-Naeini. “These post-purchase concerns were mostly caused by learning about concerns from friends, media reports, or the device functioning in some unexpected way.”
Why Infosec Pros Should Worry
Although individuals who buy risky devices will experience the most immediate consequences, these buying behaviors should raise concerns for infosec professionals and their organizations. One issue is that an individual’s personal IoT devices are likely to share a network with devices used for work tasks.
For our 2018 User Risk Report, we surveyed 6,000 working adults across six countries about their personal cybersecurity habits, including the types of devices used on their home networks. We found that these home Wi-Fi networks are often entirely unprotected, which makes the well-documented IoT vulnerabilities all the more worrying. Among other risks, easily accessible home networks could open the door for attackers to compromise remote workers and their employers’ sensitive information.
Raising Awareness of IoT Security and Privacy
“It’s up to the consumers to purchase secure devices or private devices, and we need to empower them to make those decisions themselves,” said CyLab researcher Emami-Naeini. The study proposes developing a prototype standard advisory label for IoT devices, similar to the nutrition labels on food packaging. This label would help inform concerned consumers about an IoT device’s privacy and security before the sale.
But what about the people who don’t already appreciate what’s at stake when buying an IoT device?
As mentioned earlier, about half of the interviewees had only limited and often incorrect knowledge. On the other end of the spectrum, 21% had relevant knowledge and were proactive about applying it before, during and after an IoT purchase. Another 16% of buyers said they were “unconcerned” about the security of IoT devices, both before and after purchasing them. According to the study, this group usually “did not perceive the collected data to be sensitive,” or they “expressed self-efficacy toward protecting themselves against the privacy or security related threats.”
Our IoT Q&A and Security Checklist
While unconcerned consumers might benefit most from security awareness training and information about IoT security, everyone should have an understanding of the security concerns related to these devices—and a healthy degree of caution.
To that end, we’ve created a helpful Q&A and checklist to help people better understand IoT devices and the steps they should take to improve IoT security. We encourage you to share this infographic with your colleagues and end users to help them minimize IoT risks.