Security of Connected Devices

Background

Internet-connected devices are increasingly becoming part of everyday life. These devices are able to communicate and interact with other devices and external networks to share data. Everything from smartphones, smartwatches, appliances, fitness trackers, thermostats, and cars can now connect to the Internet. Estimates suggest there will be 5.4 billion connected devices in use worldwide by the year 2020.

However, the rapid spread and growth of connected devices has outpaced the development of security safeguards necessary to protect consumers. Studies have found security vulnerabilities to be common in all types of connected devices. In fact, connected devices are so susceptible to hacking that the Federal Bureau of Investigation released a public service announcement warning that connected devices in general are vulnerable to cybercrime and pose a security risk to consumers using them.

One concern is that hackers will compromise connected devices to gain access to the sensitive personal information of consumers. Another concern is that hackers can exploit security weaknesses of a device to gain control of the device itself. Once in control the hackers can cause the device to function incorrectly, or use it in unexpected ways. In addition hackers are using compromised devices to carry out large-scale cyber-attacks aimed at disrupting large websites.

To improve the security of connected devices, experts recommend that product developers build strong security protections into connected devices from the earliest stages of product development—that is, make sure the devices are “secure by design.” This ensures that securing the device is a priority from the beginning. In addition, it is important that devices are “secure by default” so that security protections are automatically active the moment the device is first used and do not depend on consumers having to take additional steps to configure the device for greater security.

Security of Connected Devices: Policy

Security of connected devices

In this policy: FederalLocalState

Policymakers and the private sector should:

  • limit the collection of personally identifiable information (PII) or only request the minimum PII required to perform the product or service’s functionality;
  • retain data collected only as long as necessary and securely dispose of the data when no longer needed;
  • employ “secure by design” and “secure by default” principles when developing products or services;
  • test security throughout the development of the product or service as well as after the device is released to consumers;
  • adopt strong security practices to protect the confidentiality of consumers’ PII;
  • ensure security patches, updates, and fixes for products and services are implemented automatically where possible, with the ability to allow consumers to manage security settings; and
  • use strong information encryption solutions when transmitting or storing PII.