Easier Said Than Done: The Failure of Top-Level Cybersecurity Advice for Consumer IoT Devices

TL;DR

This paper examines the disconnect between top-level cybersecurity advice and actual user instructions for consumer IoT devices, revealing that most devices do not support comprehensive recommended security actions, thus challenging user-centered security efforts.

Contribution

It identifies the misalignment between national cybersecurity advice and device instructions, highlighting the difficulty for non-expert users to implement recommended security measures effectively.

Findings

No device supports all four top security advice pieces.

36 out of 40 devices support only two of the four advice pieces.

Most device materials focus on updates, neglecting other security actions.

Abstract

Consumer IoT devices are generally assumed to lack adequate default security, thus requiring user action. However, it may not be immediately clear to users what action to take and how. This uncertainty begs the question of what the minimum is that the user-base can reliably be asked to do as a prompt to secure their devices. To explore this question, we analyze security actions advocated at a national level and how these connect to user materials for a range of specific devices. We identify four pieces of converging advice across three nation-level initiatives. We then assess the extent to which these pieces of advice are aligned with instruction materials for 40 different IoT devices across five device classes (including device manuals and manufacturer websites). We expose a disconnect between the advice and the device materials. A stunning finding is that there is not a single assessed device to which all four top pieces of converging advice can be applied. At best, the supporting materials for 36 of the 40 devices provide sufficient information to apply just two of the four pieces of advice, typically the installation and enabling of (auto)updates. As something of a contradiction, it is necessary for a non-expert user to assess whether expert advice applies to a device. This risks additional user burden and proxy changes being made without the proposed security benefits. We propose recommendations, including that governments and researchers alike should declare their own working models of IoT devices when considering the user view.