author photo
By Aaron Jentzen
Thu | Oct 31, 2019 | 9:00 AM PDT

InfoSec professionals, consumer advocates, and the media frequently sound the alarm about the proliferation of Internet of Things (IoT) devices. Many of these devices have known vulnerabilities and do little to protect user data.

And yet, when a person purchases an IoT device, privacy and security are likely afterthoughts, according to a recent study from Carnegie Mellon University's CyLab. The research paper is titled, "Exploring How Privacy and Security Factor into IoT Device Purchase Behavior." The study highlights findings of interviews with 24 IoT device buyers.

Buyer's remorse

The study found that about half of the purchasers—a group representing both technical and non-technical backgrounds—had "limited and often incorrect knowledge about privacy and security." This lack of knowledge impacted their ability to make informed decisions, according to the authors.

"Most of the participants did not consider privacy and security when making their purchase, but had privacy and security related concerns after the purchase," said researcher Pardis Emami-Naeini. "These post-purchase concerns were mostly caused by learning about concerns from friends, media reports, or the device functioning in some unexpected way."

Why InfoSec pros should worry

Although individuals who buy risky devices will experience the most immediate consequences, these buying behaviors should raise concerns for InfoSec professionals and their organizations. One issue is that an individual's personal IoT devices are likely to share a network with devices used for work tasks.

Proofpoint's 2018 User Risk Report surveyed 6,000 working adults across six countries about their personal cybersecurity habits, including the types of devices used on their home networks. The survey revealed that these home Wi-Fi networks are often entirely unprotected, which makes the well-documented IoT vulnerabilities all the more worrying. Among other risks, easily accessible home networks could open the door for attackers to compromise remote workers and their employers' sensitive information.

Raising awareness of IoT security and privacy

"It's up to the consumers to purchase secure devices or private devices, and we need to empower them to make those decisions themselves," said CyLab researcher Emami-Naeini. The study proposes developing a prototype standard advisory label for IoT devices, similar to the nutrition labels on food packaging. This label would help inform concerned consumers about an IoT device's privacy and security before the sale.

But what about the people who don't already appreciate what's at stake when buying an IoT device?

As mentioned earlier, about half of the interviewees had only limited (and often incorrect) knowledge. On the other end of the spectrum, 21% had relevant knowledge and were proactive about applying it before, during, and after an IoT purchase. Another 16% of buyers said they were "unconcerned" about the security of IoT devices, both before and after purchasing them. According to the study, this last group usually "did not perceive the collected data to be sensitive," or they "expressed self-efficacy toward protecting themselves against the privacy or security related threats."

While unconcerned consumers might need it most, everyone can benefit from security awareness training and information about IoT security. Even if IoT devices eventually come with advisory labels, it's best to approach them with an understanding of what's at stake—and a healthy degree of caution.