Are smart home and wearable devices secure? A global consensus on 5 security must haves 

The Consumer Internet of Things (IoT) – from wearables, to electronics, to home appliances – global market size is forecasted to reach about $154 Billion USD by 2028 compared to $45 Billion in 2020 – dominated by home automation applications. While North America currently holds the largest market share of connected devices, Asia Pacific will see significant growth by 2030. This growth is attributed to wider internet accessibility, investment in R&D, and uptake of smart devices like wearables and doorbells due to consumer concerns about health and safety from COVID-19.

As these connected devices play a larger role in our daily lives as consumers, so does the potential for cyber threats. New products coming onto the market continue to introduce vulnerabilities. In 2021, Consumer Reports found “11 security vulnerabilities in four new video doorbells and home security cameras—potentially exposing their owners to hacking or leaks of personal data, including email addresses and wifi passwords.”

Products in the home can be exposed to more than 12,000 hacking attempts in a single week, according to the consumer campaign organization Which?. We have already seen hackers successfully tapping into home cameras, threatening the safety and privacy of individuals and families. Smaller, and cost-sensitive items, with a range of different user interfaces, like consumer IoT devices often lack many of the security features of traditional computer products (i.e. desktop computers, laptops and smart phones).

While governments and industries are increasingly pursuing measures to improve the security of connected consumer devices, if global efforts remain fragmented or lack coordination with the private sector and other stakeholders, cybersecurity initiatives and their implementation will remain uneven at best.

Through the World Economic Forum’s Council on the Connected World, leaders from Consumers International, the Cybersecurity Tech Accord and I Am the Cavalry, representing more than 400 organizations globally, collaborated to recognize an emerging consensus on baseline cybersecurity provisions for consumer IoT devices.

Over 6 months, experts reflecting the interests of security researchers, technology providers, and the consumers – agreed on five security “must haves” as a minimum requirement for consumer-facing IoT devices, which reflect a growing international consensus and are key provisions of the ETSI standard 303-645, as well as many other international standards.

1. Must not have universal default passwords

2. Must keep software updated

3. Must have secure communication

4. Must ensure that personal data is secure

5. Must implement a vulnerability disclosure policy

This resulted in a Statement of Support that calls on device manufacturers and vendors to take immediate action. This statement has been endorsed by over 100 organizations from across stakeholder groups – including leading technology companies, industry organizations, civil society groups, and government cybersecurity agencies.

The expert working group states: “Taken together, these five device capabilities are found in over 100 standards, specifications and guidelines across the world and establish a minimum level of security which should form the basis of all consumer IoT cyber security standards, specifications and guidelines.”

In the absence of baseline security requirements for connected devices, consumers are too often left unknowingly assuming unnecessary risk when using everyday products. Unsurprisingly, growing concerns around security and privacy risks are already driving consumers to distrust connected devices, undermining their potential benefits. Though a handful of governments are attempting to improve consumer IoT security through various regulatory approaches, global ICT supply chains will require harmonized efforts across markets to give consumers confidence in device security.

While smart devices can offer myriad benefits, including convenience and improved functionality, they must be developed with security in mind and used responsibly to avoid introducing unnecessary cyber risk. A global consensus – across stakeholder groups – on the five security provisions for device security in this statement is just a starting point, but an important one. More organizations from the public-private sector must unite and cooperate to build a stronger, global foundation to fight cyber threats.

The expert group encourages those who are interested in establishing a global baseline for a secure and connected world to support the joint statement.