In the largest global study of the Internet of Things in consumers’ homes, researchers from Avast and Stanford University have shown a surprising emergence of IoT devices in consumer homes and shed light on troubling number of devices that continue to use guessable passwords.

The study provides the first large-scale empirical analysis of IoT devices by leveraging user-initiated network scans of 83 million devices in 16 million households worldwide. 

The findings will be published in a paper, All Things Considered: An Analysis of IoT Devices on Home Networks, which will be appearing at USENIX Security this week. Avast researchers scanned the devices to understand the distribution of IoT devices by type and manufacturer and to understand the security profiles of various devices. The findings were validated and analyzed in collaboration with Stanford researchers. 

Concrete evidence of suspected patterns

The researchers say it is vital that the security community understands the types of IoT devices that consumers install and their respective regional distributions given their increasing security and privacy implications. The new data provides concrete evidence of patterns that have previously been suspected but not proven. 

“The security community has long discussed the security problems associated with emerging IoT devices. Unfortunately, these devices have long remained hidden behind home routers and we’ve had little large scale data on the types of devices deployed in actual homes. This data helps us shed light on the global emergence of IoT and types of the security problems problems present in the devices real users own,” said Zakir Durumeric, a professor at Stanford University.

The paper quantifies the prevalence and distribution of IoT devices and their vendors. In addition, the analysis looks at differences in popular devices and vendors among various geographical regions. For instance,  media devices are popular all over the world, but slightly less so in Asia and Africa; Southern Asia has a larger proportion of surveillance devices such as cameras than in other regions.  

While there are thousands of IoT manufacturers worldwide, 100 vendors account for more than 90% of devices and 400 vendors account for 99% of devices. Some device types are almost entirely dominated by one or two vendors. For instance, Amazon and Google produce 92% of voice assistants. 

On the security front, Avast’s research finds a troubling trend. IoT devices widely use FTP and Telnet protocols. Avast found over 8% of all IoT devices use these protocols, and a larger percentage of these have weak credentials. While 8% might not appear to be a very large number, if extrapolated over  approximately 7 billion IoT devices in the world, 560 million devices support these older protocols.  

“These are old protocols; they are easy and convenient, but burdened with security concerns – they were simply not designed to be secure. The widespread use of these is an indication of the dire state of security of these devices. Coupled with weak credentials, these devices are sitting ducks for malware such as Mirai, not to mention that such vulnerabilities on home routers leaves the entire home at risk.” explains Deepali Garg, senior Data Scientist at Avast.  

How the research was conducted 

There were several ethical considerations related to the data. Avast’s Home Scanner collected data from inside users’ homes only when users explicitly agreed during the installation process to share data for research purposes. All the data used for the study was acquired from scans that the users initiated, and the users were informed of any vulnerabilities that were discovered on their networks. Additionally, Avast did not share any user data directly with collaborators.  

The large scale of the study and current global view of IoT is intended to help the cybersecurity industry as a whole to address these growing challenges, the researchers wrote in the papers, saying: “We hope our analysis will help the security community focus on developing solutions that are applicable to IoT devices and homes in practice.”