Team: Dr. John Blythe (UCL), Prof. Shane Johnson (UCL)
Partners: Department for Digital, Culture, Media, & Sport, UCL Dawes Centre for Future Crime, Home Office, Which?, IBM, The Behavioural Insights Team, MOPAC
Internet connected devices including smart televisions, security cameras and thermostats are now commonly found around the home. Devices such as these have enormous potential to transform society, but they also provide opportunities for crime. For example, some devices (including ‘security’ cameras) lack basic password functionality or allow the use of default passwords, which can easily be guessed or even found on forums. Such vulnerabilities have been exploited to conduct Distributed Denial of Service (DDoS) attacks, which are used to make a website or online service unavailable. One such attack, which took place in 2016 knocked Twitter, Netflix and the Guardian Newspaper offline during the attack. Vulnerable internet connected devices can also be targeted to steal personal information, including credit card details.
While security should be designed into devices, there is little incentive for manufacturers to do so consistently. Moreover, at the point of purchase, consumers are not provided with simple information to help them assess the security of devices. This differs to the traffic light system used for food products in supermarkets, or the energy efficiency ratings provided for many electronic goods. The aim of the proposed research is to develop a Consumer Security Index for consumer IoT devices, and encourage its use to incentivise manufacturers to improve IoT device security.
The aims of this project are:
- To review the security features currently provided with consumer IoT devices.
- Review crime prevention messaging provided in IoT device user manuals.
- To develop a consumer security Index for consumer IoT devices.
- Encourage the use of the Consumer Security Index by retailers to encourage manufacturers to improve the provision of security at the point of manufacture.