Easier Said Than Done: The Failure of Top-Level Cybersecurity Advice for Consumer IoT Devices

Consumer IoT devices are generally assumed to lack adequate default security, thus requiring user action. However, it may not be immediately clear to users what action to take and how. This uncertainty begs the question of what the minimum is that the user-base can reliably be asked to do as a prompt to secure their devices. To explore this question, we analyze security actions advocated at a national level and how these connect to user materials for a range of specific devices. We identify four pieces of converging advice across three nation-level initiatives. We then assess the extent to which these pieces of advice are aligned with instruction materials for 40 different IoT devices across five device classes (including device manuals and manufacturer websites). We expose a disconnect between the advice and the device materials. A stunning finding is that there is not a single assessed device to which all four top pieces of converging advice can be applied. At best, the supporting materials for 36 of the 40 devices provide sufficient information to apply just two of the four pieces of advice, typically the installation and enabling of (auto)updates. As something of a contradiction, it is necessary for a non-expert user to assess whether expert advice applies to a device. This risks additional user burden and proxy changes being made without the proposed security benefits. We propose recommendations, including that governments and researchers alike should declare their own working models of IoT devices when considering the user view.