Influencing government policy on IoT connected device security

Dr Jason Nurse, Associate Professor (Senior Lecturer) from the School of Computing and Institute of Cyber Security for Society (iCSS) has contributed to a new government-commissioned Ipsos MORI report, which is being used to influence government policy on regulating consumer smart product cyber security.

The Challenge

Consumer IoT (Internet of Things) products or connected devices, including smart devices such as TVs, cameras, mobile phones, watches and speakers, offer a huge range of benefits to users but can also be vulnerable to cyber-attacks. Ipsos MORI was commissioned by the Department for Digital, Culture, Media and Sport (DCMS) to undertake an online survey of the UK public to explore consumer purchasing behaviour of, and attitudes to connected devices.

The approach

Dr Jason Nurse, Senior Lecturer (Associate Professor) in Cyber Security Public Engagement Lead in the Institute of Cyber Security for Society (iCSS) worked with Ipsos MORI to contribute to the final report.

The result

The Ipsos MORI report, titled ‘Consumer Attitudes Towards IoT security’ reveals the findings of an online survey of the UK public, exploring consumer purchasing behaviour of, and attitudes towards connected devices. The survey found that since March 2020, approximately 50% of UK residents have purchased at least one new smart device and when this is paired with other research showing significant increases in cybercrime since the start of the pandemic, it is easy to see the urgency of policy development in this area.

Key findings of the report include:

  • Smartphones are the most commonly owned devices among UK consumers (87%).
  • Only one in five consumers (20%) report checking the minimum support period (the length of time the product will receive updates for) when purchasing a smart device.
  • Seven in ten consumers (71%) agree it is important that information on minimum support periods is made publicly accessible for consumers.
  • Nine in ten consumers (87%) say smart devices should have basic embedded features to protect user privacy and security.
  • Around eight in ten consumers (84%) agree that those in the supply chain have a responsibility to make such checks and be aware of security features in products before they are sold.

Combined with other research, such as that conducted by the consumer group Which?, which found that a third of people kept their last phone for four years, while some brands only offer security updates for a little over two years, this report has helped shape the planning of a new law proposal by the UK government, which will state:

  1. Customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates
  2. A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often preset in a device’s factory settings and are easily guessable
  3. Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.

Dr Jason Nurse said: “Smart devices and connected products offer a range of opportunities to streamline and enhance our lives. As we’ve showed in this report however, security is not always a primary factor with these devices, but it should be. I am glad to see our work be used to influence government policy and look forward to seeing more secure consumer smart products.”