Through the enhanced connectivity of physical devices, the Internet of Things (IoT) brings improved efficiency to the lives of consumers when on-the-go and in the home. However, it also introduces new potential security threats and risks. These include threats that range from the direct hacking of devices that could undermine the security, privacy and safety of its users, to the enslaving of IoT devices to commit cybercrime at scale, such as Denial of Service attacks. The IoT is recognized as being widely insecure, in large part, due to the lack of security features built into devices. Additionally, consumers do not always actively use security features when available. More disconcerting is that we lack market surveillance on whether manufacturers ship products with good security features or how the importance of user-controlled security features is explained to IoT users. Our study seeks to address this gap. To do this, we compiled a database of 270 consumer IoT devices produced by 220 different manufacturers on sale at the time of the study. The user manuals and associated support pages for these devices were then analysed to provide a ‘consumer eye’ view of the security features they provide and the cyber hygiene advice that is communicated to users. The security features identified were then mapped to the UK Government’s Secure by Design Code of Practice for IoT devices to examine the extent to which devices currently on the market appear to conform to it. Our findings suggest that manufacturers provide too little publicly available information about the security features of their devices, which makes market surveillance challenging and provides consumers with little information about the security of devices prior to their purchase. On average, there was discussion of around four security features, with account management and software updates being the most frequently mentioned. Advice to consumers on cyber hygiene was rarely provided. Finally, we found a lack of standardization in the communication of security-related information for IoT devices among our sample. We argue for government intervention in this space to provide assurances around device security, whether this is provided in a centralized or decentralized manner.

中文翻译：

---

消费者物联网设备手册和支持页面传达了哪些安全功能和预防犯罪建议？

通过增强物理设备的连接性，物联网（IoT）可以在旅途中和在家中为消费者的生活带来更高的效率。但是，它也引入了新的潜在安全威胁和风险。这些威胁包括威胁范围从直接入侵可能破坏其用户安全性，隐私和安全性的设备，到奴役物联网设备以大规模实施网络犯罪，例如拒绝服务攻击。物联网被认为是广泛不安全的，很大程度上是由于缺少设备内置的安全功能。此外，消费者在可用时并不总是积极使用安全功能。更令人不安的是，对于制造商是否出货具有良好安全功能的产品或如何向物联网用户解释用户控制的安全功能的重要性，我们缺乏市场监督。我们的研究旨在解决这一差距。为此，我们在研究时汇总了由220个不同制造商生产的270个消费物联网设备的数据库。然后，对这些设备的用户手册和相关支持页面进行了分析，以“消费者眼”的角度查看它们提供的安全功能以及传达给用户的网络卫生建议。然后，将识别出的安全功能映射到英国政府针对物联网设备设计的安全实践准则中，以检查当前市场上的设备似乎在多大程度上符合该标准。我们的调查结果表明，制造商提供的有关其设备安全功能的公开信息太少，这给市场监控带来了挑战，并且在购买之前几乎没有为消费者提供有关设备安全性的信息。平均而言，讨论了大约四个安全功能，其中最常提及的是帐户管理和软件更新。很少向消费者提供有关网络卫生的建议。最后，我们发现样本中的物联网设备安全相关信息的通信缺乏标准化。我们主张政府在这一领域进行干预，以确保围绕设备安全性，无论是以集中式还是分散式方式提供。