Consumers unaware of the security risks posed by IoT devices, says report

Consumers unaware of the security risks posed by IoT devices, says report

As new connected devices come to market, further evidence emerges that consumers are unaware of the security risks they pose.

Around half of British people aren’t aware of the security dangers and challenges surrounding connected technology, according to a report released this week.

The IoT security whitepaper, commissioned and undertaken by tech firm Canonical, paints a dire picture of how webcams, smart thermostats, Wi-Fi routers, smart watches and other connected devices could be targeted by cyber criminals.

Related: Security researcher claims to unearth hacker behind IoT Mirai botnet

Consumers are disconnected

Overall, 2,000 UK-based consumers were surveyed for the report, which found that a staggering 48 percent aren’t aware of the fact that their IoT devices could be hijacked by hackers and used to initiate wide-scale cyber-attacks.

Over a third (37 percent) acknowledged that they’re not “sufficiently aware” of the dangers that can be caused by connected devices. This is despite the UK Government spending £12 million ($15m) on a cyber awareness campaign.

Consumers are also disconnected from news headlines relating to IoT attacks. Almost four out of five of respondents (79 percent) said they’ve not seen or read a news story that deals with these dangers.

Lack of action to combat security risks

In another worrying statistic, 78 percent haven’t seen their distrust of IoT security grow over the past year, despite recent warnings from the government and other organisations.

A lack of mistrust is leading to a lack of action, the report suggests, with consumers failing to take recommended steps to protect their devices from attacks. Only 31 percent of consumers update their devices when new software versions are issued by manufacturers.

And, shockingly, 40 percent have never taken the steps to perform a firmware update at all. The same proportion believes that firmware updates should be dealt with by manufacturers.

Related: Despite industry concern, IoT app security still isn’t a priority

Hacks becoming common

Unfortunately, it’s becoming all too common for cyber criminals to use consumer devices as pawns in wider attacks. In 2016, for example, 152,000 IoT devices were harnessed to launch an attack on French hosting firm OVH.

In this attack, the company was inundated with almost 1Tbs per second of traffic. The aim was to bring OVH and its systems down, affecting customers all across the world.

Thibaut Rouffineau, head of devices marketing at Canonical, said these findings paint a dire picture for the IoT industry. He believes that more must be done to educate consumers on the security implications.

“These figures are troubling, and should be a wake-up call for the industry. Despite good intentions, government campaigns for cyber-awareness and IoT security still have a long way to go,” he said.

“Ultimately the IoT industry needs to step up and take on responsibility. Government education of consumers and legislation will have a part to play.”

“But overall, the industry needs to take charge of keeping devices up to date and find a way to eliminate any potential vulnerabilities from devices before they can cause issues, rather than placing the burden on consumers.”

New wave of attacks

Paul Lipman, CEO at consumer security company BullGuard, told Internet of Business that smart devices are increasingly being compromised by cyber criminals.

“There are many examples of smart devices being hacked; the most notable were last year’s DDoS attacks, which took down many major websites including Netflix and Twitter. These attacks were launched from IoT devices that had been infected by the Mirai botnet,” he said.

“Given the poor state of security for many smart devices, such as passwords that can’t be changed, it’s easy for hackers to compromise them by creating malware specifically developed to infect and control the devices.”

Related: Blockchain: The ultimate game-changer for IoT security?