Academia, governments and industry frequently talk about the importance of IoT security. Fundamentally, the IoT environment has similar problems to other technology platforms such as Android: a fragmented market with no clear responsibilities or incentives for vendors to provide regular updates, and consumers for whom its not clear how much (of a premium) they are willing to pay for (“better”) security and privacy.
Just two weeks ago, Belkin announced to shut down one of its cloud services, effectively transforming its several product lines of web cameras into useless bricks. Unlike other end-of-support announcements for IoT devices that (only) mean devices will never see an update again, many Belkin cameras simply refuse to work without the “cloud”. This is particularly disconcerting as many see cloud-based IoT as one possible solution to improve device security by easing the user maintenance effort through remote update capabilities.
In this post, I would like to introduce three papers, each talking about different aspects of IoT security: 1) consumer purchasing behaviour, 2) vendor response, and 3) an assessment of the ever-growing literature on “best-practices” from industrial, governmental, and academic sources.
In this paper, the authors conducted a survey and 26 semi-structured interviews to analyse the pre- and post-purchase behaviour of consumers who had purchased at least one IoT device.
It was found that privacy and security attributes of products are one of their most important considerations, but they ranked it after product features and price, implying that security and privacy had little practical impact on their buying decision. When the authors asked the interviewees about their concerns with IoT devices after their purchase, about half of the participants mentioned privacy and security concerns without being prompted by the interviewer.
Almost all interviewees said that they were willing to pay a ‘premium of 10%-30% of the base price of the device’ for improved privacy and security. However, this was only true if the product came with an assurance that their security and privacy would be protected. Such guarantees are notoriously difficult to measure, particularly for consumer devices, so the researchers designed a detailed security label and surveyed prospective customers. Interviewees found the label to be understandable; however, they reported that they would trust well-known brands without such a label more than unfamiliar brands with one. Showing once again that customers’ self-perception of their motivations and practical actions don’t necessarily align and reinforcing the idea that gaining and maintaining reputation is vital for consumer trust and purchase behaviour.
The paper analysed the patch management of six vendors for 450 consumer IoT devices in Japan and the US between 2006 and 2017. To this end, they collected all published vulnerabilities and patch information for the vendors Buffalo, IO-Data, NEV (JP), Netgear, Linksys and D-Link (US).
While it was found that five out of six vendors release patches in a timely manner, vendors did not prioritize patches for severe vulnerabilities or distinguish them to their customers, and vendors did not improve their patch release times over the 12 year study. It was also found that 97% of all vulnerabilities affecting the devices in Japan were disclosed through Coordinated Disclosure, whereas the corresponding figure for the US was 56% (38% were disclosed via Full Disclosure).
Despite the availability of a patch on the companies’ websites, we know that customers generally do not update their devices. Asking 2000 end-users, Canonical found that only 31% of consumers update their IoT devices as soon as an update becomes available, 40% of consumers have never updated their device since they purchased it, and 8% did not know what firmware was. Crucially, the authors identified that vendors often implicitly “announce” End-of-Support for devices in certain regional areas while the same device is still supported in other regions, effectively shortening the support period. Thus, they urge manufacturers to better coordinate their local markets to increase the support period across regions.
In this paper, the authors reviewed 1014 items of advice (guidelines, recommendations, standards and practices) from industrial, governmental and academic sources.
While the basic concept of best practices is widely understood, the researchers demonstrate that 91% of the items are not easily actionable, but rather provide a list of desired outcomes. Thus the authors argue that ‘if security experts do not find that guidelines are easily actionable, then it is unrealistic to expect that (security non-expert) manufacturers will magically find a way to adopt and implement the practices’.
In an attempt to generate actionable recommendations, they reinterpreted the UK government guidelines on IoT security and classified each guideline according to stakeholders (hardware, platform, product, end-user…), implementation difficulty, and effectiveness. They find that 706 of the 1014 items (69.6%) need to be implemented in the Creation (pre-sales) stage of the device lifecycle and only 260 (25.6%) were in the users hands, highlighting the critical position of manufacturers in improving device security. As ‘manufacturers are not well-incentivised to implement the established best practices’, the authors argue that educating users to make well-informed purchasing decisions is possibly the best way forward. Unfortunately, and contrary to their approach of creating actionable practices, the authors do not discuss how we might go about it.
All three papers highlight that the IoT environment is a complex interplay of different forces: economic incentives, consumer expectations and behaviour, and a variety of über/best/good/common practices suggested by academia, industry and government which are not easily actionable and which are mostly out of the consumer’s hands.
It is apparent that the self-regulation of the IoT market has been largely unsuccessful, but there is no obvious way forward: Do we need a voluntary or mandatory IoT vendor ranking, and if so, how would it have to be designed so that consumers would bother using it? Should regulators introduce mandatory security update labels (S&P 2020) and what will be the effects of stricter product safety and liability regimes? Addressing and researching these questions will not only impact the IoT, but similarly other technology platforms.
 Emami-Naeini et al., “Exploring How Privacy and Security Factor into IoT Device Purchase Behavior“, Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2019
 Nakajima et al., “A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States“, Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, 2019
 Bellman, C. and van Oorschot, Paul C. “Best Practices for IoT Security: What Does That Even Mean?“, arXiv preprint: 2004.12179, 2020