Internet of Things Security and Privacy Recommendations

In the past few years, many of the new devices connected to the Internet have not been personal computers, but rather a variety of devices embedded with Internet connectivity and functions. This class of devices has generally been described as the Internet of Things (IoT) and has brought with it new security and privacy risks. The term “IoT” has potentially broad scope. IoT can refer to deployments in homes, businesses, manufacturing facilities, transportation industries, and elsewhere. Thus, IoT can refer to much more than simply consumer-oriented devices.

For the purposes of this report, we use the term IoT to refer solely to consumer-oriented devices and their associated local and remote software systems, though some or all of our recommendations may be more broadly applicable. This report is concerned with scenarios where consumers are installing, configuring, and administering devices that they lease or own. The number and diversity of consumer IoT devices is growing rapidly; these devices offer many new applications for end users, and in the future will likely offer even more. Many IoT devices are either already available or are being developed for deployment in the near future, including:

• sensors to better understand patterns of daily life and monitor health
• monitors and controls for home functions, from locks to heating and water systems
• devices and appliances that anticipate a consumer’s needs and can take action to address them (e.g., devices that monitor inventory and automatically re-order products for a consumer)