Security of Connected Devices

Background

Internet-connected devices are increasingly becoming part of everyday life. These devices are able to communicate and interact with other devices and external networks to share data. A wide range of devices are now connected, including smartphones, smartwatches, appliances, fitness trackers, thermostats, and cars.

However, the rapid spread and growth of connected devices have outpaced the development of security safeguards necessary to protect consumers. Studies have found security vulnerabilities to be common in all types of connected devices.

One concern is that hackers will compromise connected devices to gain access to the sensitive personal information of consumers. Another is that hackers can exploit security weaknesses to gain control of the device itself. Once in control, the hackers can cause the device to function incorrectly or use it in unexpected ways. In addition, hackers are using compromised devices to carry out large-scale cyber-attacks aimed at disrupting large websites.

Experts recommend that product developers build strong security protections into connected devices from the earliest stages of product development. Devices should be “secure by design.” This means that the device has been designed from the ground up to ensure security. In addition, it is important that devices are “secure by default” so that security protections are automatically active the moment the device is first used. Consumers should not have to take additional steps to configure the device for greater security.

SECURITY OF CONNECTED DEVICES: Policy

Security of connected devices

In this policy: FederalLocalState

Policymakers and the private sector should ensure the security and safety of connected devices, including limiting the collection of data and retaining it only as long as is necessary. Devices should be secure by design.

To do so, they should:

  • limit the collection of personally identifiable information (PII) or only request the minimum PII required to perform the product or service’s functionality;
  • retain data collected only as long as necessary and securely dispose of the data when no longer needed;
  • employ “secure by design” and “secure by default” principles when developing products or services;
  • test security throughout the development of the product or service as well as after the device is released to consumers;
  • adopt strong security practices to protect the confidentiality of consumers’ PII;
  • ensure security patches, updates, and fixes for products and services are implemented automatically where possible, with the ability to allow consumers to manage security settings; and
  • use strong information encryption solutions when transmitting or storing PII.