Threat Research

We scanned the world of IoT – it’s not what you think it is

Jeff Elder, 21 June 2019

Stanford and Avast researchers analyzed user-initiated scans of 83 million IoT devices in 16 million homes and found three big truths you don’t often hear about

The Internet of Things is a panoply of ingenious new devices making our future more convenient and sophisticated – until the machines turn on us and the whole thing comes crashing down.

At least, that’s the narrative that often plays out in popular culture. Research and the media can also reflect this view of a sprawling variety of sophisticated devices all making up one big connected network. The problem is, that’s not really what the Internet of Things is like in real people’s actual homes.

Researchers from Stanford University and Avast analyzed user-contributed scans of 16 million homes and 83 million devices. The researchers found three big truths about the security of smart devices that you almost never hear about.

There isn’t one Internet of Things – there are many

The types of IoT devices that are commonly found in homes varies greatly from region to region. Surveillance cameras are most popular in South and Southeast Asia, while work appliances, such as printers and fax machines prevail in East Asia and Sub-Saharan Africa, and home assistants are present in 10% of homes in North America but have yet to see significant adoption in other markets. The security of IoT devices also varies greatly in different regions, the researchers found by examining devices’ open services, weak default credentials, and vulnerability to known attacks.

A small group of vendors dominates

More than 90% of Internet of Things devices are made by just 100 manufacturers, and the researchers found that security safeguards from just a few vendors could have global impact. “This puts these manufacturers in a unique position to ensure that consumers have access to devices with strong privacy and security by design,” said Rajarshi Gupta, Head of artificial intelligence at Avast. Some device types are dominated by a small handful of vendors. For example, Amazon and Google account for over 90% of voice assistant devices globally. Game consoles are dominated by three major players (Microsoft, Sony, Nintendo) in almost every region across the world.

Older devices are often overlooked

Researchers also found that there has been a fundamental misunderstanding of what devices consumers are actually adopting, and how they are configured in practice. Recent security research has focused on new home IoT devices, such as smart locks and home automation. The research results suggest that while these devices are growing in importance in western regions, they are far from the most common IoT devices around the world. Instead, home IoT in many places is better characterized by smart TVs, printers, game consoles, and surveillance devices – devices that have been connected to our home networks for more than a decade and have the weakest security. “These devices must be considered because home networks are only as secure as their weakest link,” said Deepali Garg, senior Data Scientist at Avast. “Instead of being afraid of the latest smart devices, consumers should take a few minutes to secure the printers and game consoles they have had for years.”

The researchers recommended that the security community start addressing these challenges by encouraging the largest offending vendors to adopt better security practices. On the policy end, law enforcement and legal entities have started to provide legal disincentives for weak security practices, the report notes. Here’s how you can take a look at the security of your smart devices.

How privacy was safeguarded in the study

For the paper, Stanford and Avast researchers leveraged data collected from user-initiated network scans in 16M households that agreed to share data for research and development purposes. To ensure that the data was collected in line with user expectations, researchers only collected statistics about homes where the user explicitly agreed to share data for research purposes. Researchers never had access to data about individual homes or users; no personally identifiable information was ever shared with them.

The findings have been published in a new research paper, being presented at the Usenix Security Conference 2019, “All Things Considered: An Analysis of IoT Devices on Home Networks” and can be found here.