featured

Security and the Internet of Things: How to better protect consumers

Opinion | 18 September 2020

Kayleen Manwaring

Senior Lecturer

The Australian government has introduced a new code of practice to boost the security of IoT devices, but it may actually expose consumers to even greater risks, write UNSW Business School's Dr Kayleen Manwaring and UNSW Law's Dr Roger Clarke

From internet-connected televisions, toys, fridges, ovens, security cameras, door locks, fitness trackers and lights, the so-called “Internet of Things” (IoT) promises to revolutionise our homes.

But it also threatens to increase our vulnerability to malicious acts. Security flaws in IoT devices are common. Hackers can exploit those vulnerabilities to take control of devices, steal or change data, and spy on us.

In recognition of these risks, the Australian government has introduced a new code of practice to encourage manufacturers to make IoT devices more secure. The code provides guidance on secure passwords, the need for security patches, the protection and deletion of consumers’ personal data and the reporting of vulnerabilities, among other things.

The problem is the code is voluntary. Experiences elsewhere, such as the UK, suggest a voluntary code will be insufficient to deliver the protections consumers need.

Indeed it might even increase risks, by lulling consumers into a false sense of security about the safety of the devices they buy.

Smart speakers with couple standing in the background (1).jpg — Household devices such as a smart TV, portable speaker and voice assistants may allow potentially serious safety and security breaches. Image: Shutterstock

Many IoT devices are insecure

IoT devices designed for consumers are generally less secure than conventional computers.

In 2017 the Australian Communications Consumer Action Network commissioned researchers from the University of New South Wales to test the security of 20 household appliances capable of being connected and controlled via wi-fi.

These included a smart TV, portable speaker, voice assistant, printer, sleep monitor, digital photo frame, bathroom scales, light bulb, power switch, smoke alarm and Hello Barbie talking doll.

While some devices (including the Barbie) were found to be relatively secure in terms of confidentiality, all had some form of security flaw. Many “allowed potentially serious safety and security breaches”.

What this could potentially mean is that someone could, for example, hack into a household’s wi-fi network and collect data from IoT devices. It might be as simple as knowing when lights are switched on to determine when a home can be burgled. Someone with more malicious intent could turn on your oven while shutting down smoke alarms and other sensors.

Computer screen says system hacked (1).jpg — Many consumers might not fully appreciate the security risks from IoT devices. Image: Shutterstock

Risks to consumers, and society

Factors leading to poor security in IoT devices include manufacturers’ desires to minimise componentry and keep costs down. Many makers of consumer goods also have little experience with cyber-security issues.

Allied with the fact many consumers aren’t technologically savvy enough to appreciate the risks and protect themselves, this creates the prospect of IoT devices being exploited.

On a personal level, you could be spied on and harassed. Personal pictures or information could be exposed to the world or used to extort you.

On a societal level, IoT devices can be hijacked and used collectively to shut down services and networks. Even compromising one device may enable connected infrastructure to be hacked. This is a rising concern as more people connect to workplace networks from home.

Factory worker assembling smartphones with screwdriver.jpg — Factors leading to poor security in IoT devices include manufacturers’ desires to minimise componentry and keep costs down. Image:

Voluntary codes of practice

In recognition of these threats, IoT security “good practice” guidelines have been proposed by standards bodies such as the US National Institute of Standards and Technology, the European Telecommunications Standards Institute and the Internet Engineering Task Force. But these guidelines are based on voluntary action by manufacturers.

The UK government has already concluded the voluntary code of conduct it established in 2018 isn’t working.

Britain’s Minister for Digital Infrastructure, Matt Warman, said in July:

Despite widespread adoption of the guidelines in the Code of Practice for Consumer Internet of Things Security, both in the UK and overseas, change has not been swift enough, with poor security still commonplace.

The UK is now moving to impose a mandatory code, with laws requiring manufacturers to deliver reasonable security features in any device that can connect to the internet.

handshake between two business partners (1).jpg — There needs to be a 'co-regulatory approach' to making IoT devices safer for consumers, which would mix aspects of industry self-regulation with both government regulation and strong community input. Image: Shutterstock

A case for co-regulation

There is little reason to believe Australia’s voluntary code of practice will prove any more effective than in the UK.

A better option would have been a “co-regulatory” approach. Co-regulation mixes aspects of industry self-regulation with both government regulation and strong community input. It includes laws that create incentives for compliance (and disincentives against non-compliance) and regulatory oversight by an independent (and well-resourced) watchdog.

The Australia government has, at least, described its new code of practice as “a first step” to improving the security of IoT devices.

Let’s hope so. If the UK experience is anything to go by, its next steps will include dumping a voluntary code for something with a greater chance of delivering the safety and security consumers – and society – need.

Dr Kayleen Manwaring is a Senior Lecturer in the School of Taxation ＆ Business Law at UNSW Business School, and Dr Roger Clarke is a Visiting Professor in Law at UNSW Sydney. This article first appeared on The Conversation.

Security Risk Technology Government Digital Data Social media Regulation Artificial Intelligence

Republish this article

Republish

You are free to republish this article both online and in print. We ask that you follow some simple guidelines.

Please do not edit the piece, ensure that you attribute the author, their institute, and mention that the article was originally published on Business Think.

By copying the HTML below, you will be adhering to all our guidelines.

Press Ctrl-C to copy

<h1>Security and the Internet of Things: How to better protect consumers</h1>

<figure><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/2578d380-542b-4bca-ba82-e463ec7881e7/Close-up%20of%20hand%20working%20on%20digital%20tablet%20%281%29.jpg?w=1320" alt="How can Australia make the Internet of Things safer?" /><figcaption>How can Australia make the Internet of Things safer?</figcaption></figure>
 From internet-connected televisions, toys, fridges, ovens, security cameras, door locks, fitness trackers and lights, the so-called “Internet of Things” (IoT) promises to revolutionise our homes.
But it also threatens to increase our vulnerability to malicious acts. Security flaws in IoT devices <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3464277" data-new-window="true" target="_blank" rel="noopener noreferrer">are common</a>. Hackers can exploit those vulnerabilities to take <a href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack" data-new-window="true" target="_blank" rel="noopener noreferrer">control</a> of devices, <a href="https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/#36f0856d32b9" data-new-window="true" target="_blank" rel="noopener noreferrer">steal or change data</a>, and <a href="https://www.forbes.com/sites/josephsteinberg/2014/01/27/these-devices-may-be-spying-on-you-even-in-your-own-home/#6823a7fcb859" data-new-window="true" target="_blank" rel="noopener noreferrer">spy on us</a>. 
In recognition of these risks, the Australian government has introduced a new <a href="https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf" data-new-window="true" target="_blank" rel="noopener noreferrer">code of practice</a> to encourage manufacturers to make IoT devices more secure. The code provides guidance on secure passwords, the need for security patches, the protection and deletion of consumers’ personal data and the reporting of vulnerabilities, among other things.
The problem is the code is voluntary. Experiences elsewhere, such as the UK, suggest a voluntary code will be insufficient to deliver the protections consumers need.
Indeed it might even increase risks, by lulling consumers into a false sense of security about the safety of the devices they buy.
<figure class="figure"><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/34868e8c-f690-45bc-9aef-db52a465107c/Smart%20speakers%20with%20couple%20standing%20in%20the%20background%20%281%29.jpg" class="figure-img" alt="Smart speakers with couple standing in the background (1).jpg"><figcaption class="figure-caption">Household devices such as a smart TV, portable speaker and voice assistants may allow potentially serious safety and security breaches. Image: Shutterstock</figcaption></figure>
<h4>Many IoT devices are insecure</h4>
IoT devices designed for consumers are generally less secure than conventional computers.
In 2017 the Australian Communications Consumer Action Network commissioned researchers from the University of New South Wales to test the security of 20 <a href="https://accan.org.au/files/Grants/UNSW-ACCAN_InsideJob_web.pdf" data-new-window="true" target="_blank" rel="noopener noreferrer">household appliances</a> capable of being connected and controlled via wi-fi.
These included a smart TV, portable speaker, voice assistant, printer, sleep monitor, digital photo frame, bathroom scales, light bulb, power switch, smoke alarm and Hello Barbie talking doll. 
While some devices (including the Barbie) were found to be relatively secure in terms of confidentiality, all had some form of security flaw. Many “allowed potentially serious safety and security breaches”.
What this could potentially mean is that someone could, for example, hack into a household’s wi-fi network and collect data from IoT devices. It might be as simple as knowing when lights are switched on to determine when a home can be burgled. Someone with more malicious intent could <a href="https://phys.org/news/2017-10-flaw-hackers-smart-ovens.html" data-new-window="true" target="_blank" rel="noopener noreferrer">turn on your oven</a> while shutting down smoke alarms and other sensors.
<figure class="figure"><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/c346667d-2704-4007-b3b2-e3726a376564/Computer%20screen%20says%20system%20hacked%20%20%281%29.jpg" class="figure-img" alt="Computer screen says system hacked (1).jpg"><figcaption class="figure-caption">Many consumers might not fully appreciate the security risks from IoT devices. Image: Shutterstock</figcaption></figure>
<h4>Risks to consumers, and society</h4>
Factors leading to <a href="http://www5.austlii.edu.au/au/journals/DeakinLawRw/2017/3.html" data-new-window="true" target="_blank" rel="noopener noreferrer">poor security in IoT devices</a> include manufacturers’ desires to minimise componentry and keep costs down. Many makers of consumer goods also have little experience with cyber-security issues.
Allied with the fact many consumers <a href="https://accan.org.au/files/Grants/UNSW-ACCAN_InsideJob_web.pdf" data-new-window="true" target="_blank" rel="noopener noreferrer">aren’t technologically savvy</a> enough to appreciate the risks and protect themselves, this creates the prospect of IoT devices being exploited.
On a personal level, you could be <a href="https://www.vice.com/en_au/article/d3akpk/smart-home-technology-stalking-harassment" data-new-window="true" target="_blank" rel="noopener noreferrer">spied on and harassed</a>. Personal pictures or information could be <a href="https://www.ftc.gov/system/files/documents/cases/140207trendnetcmpt.pdf" data-new-window="true" target="_blank" rel="noopener noreferrer">exposed to the world</a> or used to extort you.
On a societal level, IoT devices can be <a href="https://elie.net/static/files/understanding-the-mirai-botnet/understanding-the-mirai-botnet-paper.pdf" data-new-window="true" target="_blank" rel="noopener noreferrer">hijacked</a> and used collectively to shut down services and networks. Even compromising one device may enable connected infrastructure to be hacked. This is a rising concern as more people connect to <a href="https://www.iotworldtoday.com/2020/03/24/cybersecurity-crisis-management-during-the-coronavirus-pandemic/" data-new-window="true" target="_blank" rel="noopener noreferrer">workplace networks</a> from home.
<figure class="figure"><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/3294e51a-38b1-418d-a8a4-395829e777b4/Factory%20worker%20assembling%20smartphones%20with%20screwdriver.jpg" class="figure-img" alt="Factory worker assembling smartphones with screwdriver.jpg"><figcaption class="figure-caption">Factors leading to poor security in IoT devices include manufacturers’ desires to minimise componentry and keep costs down. Image: </figcaption></figure>
<h4>Voluntary codes of practice</h4>
In recognition of these threats, IoT security “good practice” guidelines have been proposed by standards bodies such as the <a href="https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program" data-new-window="true" target="_blank" rel="noopener noreferrer">US National Institute of Standards and Technology</a>, the <a href="https://www.etsi.org/deliver/etsi_ts/103600_103699/103645/01.01.01_60/ts_103645v010101p.pdf" data-new-window="true" target="_blank" rel="noopener noreferrer">European Telecommunications Standards Institute</a> and the <a href="https://datatracker.ietf.org/doc/rfc8520/" data-new-window="true" target="_blank" rel="noopener noreferrer">Internet Engineering Task Force</a>. But these guidelines are based on voluntary action by manufacturers.
The UK government has already <a href="https://www.gov.uk/government/publications/proposals-for-regulating-consumer-smart-product-cyber-security-call-for-views/proposals-for-regulating-consumer-smart-product-cyber-security-call-for-views" data-new-window="true" target="_blank" rel="noopener noreferrer">concluded</a> the voluntary code of conduct it <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf" data-new-window="true" target="_blank" rel="noopener noreferrer">established in 2018</a> isn’t working.
Britain’s Minister for Digital Infrastructure, Matt Warman, said in July:
Despite widespread adoption of the guidelines in the <a href="https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security" data-new-window="true" target="_blank" rel="noopener noreferrer">Code of Practice for Consumer Internet of Things Security</a>, both in the UK and overseas, change has not been swift enough, with poor security still commonplace.
The UK is now <a href="https://www.gov.uk/government/consultations/consultation-on-regulatory-proposals-on-consumer-iot-security" data-new-window="true" target="_blank" rel="noopener noreferrer">moving</a> to impose a mandatory code, with laws requiring manufacturers to deliver reasonable security features in any device that can connect to the internet.
<figure class="figure"><img src="https://assets-us-01.kc-usercontent.com:443/4df0558d-5779-0012-00f2-b3fa06d6c950/844b7a68-d837-4dec-8570-ed54ed6b977c/handshake%20between%20two%20business%20partners%20%281%29.jpg" class="figure-img" alt="handshake between two business partners (1).jpg"><figcaption class="figure-caption">There needs to be a 'co-regulatory approach' to making IoT devices safer for consumers, which would mix aspects of industry self-regulation with both government regulation and strong community input. Image: Shutterstock</figcaption></figure>
<h4>A case for co-regulation</h4>
There is little reason to believe Australia’s voluntary code of practice will prove any more effective than in the UK.
A better option would have been a “<a href="http://rogerclarke.com/DV/CACM99.html#RegF" data-new-window="true" target="_blank" rel="noopener noreferrer">co-regulatory</a>” approach. Co-regulation mixes aspects of industry self-regulation with both government regulation and strong <a href="http://rogerclarke.com/EC/AIR.html#CRF" data-new-window="true" target="_blank" rel="noopener noreferrer">community input</a>. It includes laws that create incentives for compliance (and disincentives against non-compliance) and regulatory oversight by an independent (and well-resourced) watchdog.
The Australia government has, at least, described its new code of practice as “a first step” to improving the security of IoT devices.
Let’s hope so. If the UK experience is anything to go by, its next steps will include dumping a voluntary code for something with a greater chance of delivering the safety and security consumers – and society – need.
<a href="https://www.business.unsw.edu.au/our-people/kayleenmanwaring" data-new-window="true" target="_blank" rel="noopener noreferrer">Dr Kayleen Manwaring</a> is a Senior Lecturer in the School of Taxation ＆ Business Law at UNSW  Business School, and <a href="https://www.law.unsw.edu.au/staff/roger-clarke" data-new-window="true" target="_blank" rel="noopener noreferrer">Dr Roger Clarke</a> is a Visiting Professor in Law at UNSW Sydney. This article first appeared on The Conversation.

Comments