In 2017, more than eight billion IoT devices were in use worldwide and the current estimate is that more than 20 billion IoT devices will be in use by 2020. Consumers use IoT devices to simplify tasks, provide greater convenience, and enhance personal productivity. For example, a smart door lock can enable a homeowner to allow a repairman to enter the home without requiring the homeowner’s physical presence.
Since many IoT devices are accessible via the internet, malicious actors can exploit vulnerabilities to gain access to IoT devices. Mirai, a distributed denial-of-service attack, is one of the largest cybersecurity incidents that leveraged IoT devices.
Consumer home IoT devices, such as connected security cameras and smart televisions can collect an array of data about homeowners and other users to conveniently customize and personalize the home and user experience. Unfortunately, if intercepted by unauthorized individuals, this information can be exposed or used for criminal or disruptive activities.
NIST Internal Report (NISTIR) 8267, Security Review of Consumer Home IoT Products is the first report from this project and presents the results of a study to examine the observable aspects of cybersecurity features available on several consumer home IoT devices. The types of consumer home IoT devices reviewed include smart light bulbs, security lights, security cameras, doorbells, plugs, thermostats, and televisions. The purpose of the technical review was to better understand built-in cybersecurity features of consumer home IoT devices and inform general considerations for improving the cybersecurity of consumer home IoT devices. Observations and analysis were guided by NISTs current work around good practices for cybersecurity features and implementation, including, but not limited to the recent draft NISTIR 8259, Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers. NISTIR 8267 is foundational work and the NCCoE plans to release follow-on projects and documents that provide detailed cybersecurity considerations for consumer home IoT devices.