Threat Intelligence

1/10/2019
11:30 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Consumers Demand Security from Smart Device Makers

Poll shows individuals want better security from IoT device manufacturers as connected products flood the market.

More than 90% of people want manufacturers to step up their security practices, and 74% would pay more for a product with additional security built in, Microsoft reported today.

There will be 25 billion Internet of Things (IoT) devices connecting the world by 2021, Gartner research indicates, and two-thirds of them will be for consumers. To learn more about consumer demand for connected products, their demand for security, and who they consider responsible for security, Microsoft teamed up with Greenberg Strategy to poll 3,000+ people across the US, UK, and Germany.

They learned security is the top consideration among people shopping for an IoT device — and most buyers don't think companies are doing enough to protect them. Researchers say this creates an opportunity for device manufacturers to gain a competitive edge with security.

"Consumers have become more aware that smart devices bring risks into their homes, although they are often confused on exactly what those risks are and how probable they are," says Galen Hunt, distinguished engineer and managing director for Microsoft's Azure Sphere.

Some of the bigger IoT attacks — for instance, the 2016 attacks on Dyn using Mirai — became public knowledge. People often see IoT security risks in the news, reading about baby monitors becoming spying devices and hackers controlling connected cars. Security attacks feel like an invasion of privacy they generally want to avoid when they buy devices.

Most people say they're likely to shop for a smart device in the next year. A smart TV is highest on their list (41%), followed by home security camera (36%), home security system (32%), lighting (31%), thermostat (26%), and speakers (23%). Smart ovens came in last (18%). Connected devices are pervasive, Hunt points out, and they all bring a similar risk level.

"Each node, or device, is connected to the broader network, and any link that breaks creates vulnerability to the network as a whole," he explains.

Security Comes Top of Mind
When asked what factors play into their shopping decisions, security came on top at 21%, followed by value for money (20%), ease of use (11%), trusted brand (9%), and ease of setup (7%). Ninety percent of consumers think any piece of smart tech can be hacked, according to the survey.

But what are consumers worried will happen? More than half (52%) are most concerned about a personal data breach, while 19% fear their physical safety will be at risk. Nine percent are worried about personal privacy, 8% about government spying, 8% about corporate data misuse, and 3% about botnets. Unfortunately, their fears don't translate to smart security practices.

"People generally do want to take the right steps," says Hunt, pointing to a campaign for AV software installation on consumer PCs about 20 years ago. People recognize the need to put AV on their computers; when they don't, machines will start showing signs of infection. "In today's threat landscape, IoT devices won't show as many visible signs — no noticeable lethargy, no visible popups — that give consumers clues there may be something amiss," he adds.

Users think about security in their day-to-day lives: They lock their doors (82%) and close their windows (72%) before leaving their homes. But device security leads to false assumptions and resignation as people are both confused and unaware of how to approach security, researchers say. Sure, 90% accurately say software updates help maintain device security, but 65% think they can improve device security by avoiding sensitive conversations around their smart products.

Because they're unsure of device security, consumers want manufacturers to do better. Sixty-five percent wouldn't buy a smart product that had been hit with a security breach, researchers found. Further, says Hunt, the attack landscape for smart devices is so complex, it would be impossible for customers to take any action that mitigates all the risks their devices bring.

"This is why we feel it is imperative that manufacturers assume responsibility by building highly secured devices from the beginning," he adds. One of his greatest concerns is that today, security is an afterthought — a problem that device makers assume they can solve later. In truth, Hunt notes, no amount of bolt-on security will protect users from dogged adversaries.

He's also concerned device manufacturers are confused about the level of security they need. Many security solutions are on the market, says Hunt, but not all security is built equally. There's a big difference between secured devices and devices with a few security features. Thankfully, he says, companies are becoming aware of the risk security can bring to their brand. Companies that seize responsibility today will have an "incredible advantage" in the future.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.