Skip main navigation

Computer misuse in the IoT

Clearly IoT devices can be misused, and the rate at which it is happening is growing.
© Coventry University. CC BY-NC 4.0

Clearly, IoT devices can be misused, and the rate at which it is happening is growing: Inadequate security sees surge in IoT data breaches, study shows (White 2019).

Frustratingly, the vulnerabilities of IoT devices are almost always exactly those of any other computer system, but because they are developed differently (often with product development of the physical device being the top priority rather than the software) and used differently (how many people apply good practice IT security to boiling a kettle?) there seems to be a lag between the level of security in IoT devices and more traditional IT.

In the UK, there are government guidelines for IoT development ( 2019a) but following them is optional.

As far as IoT and legislation are concerned, we can divide the issues into two rough categories:

  • Laws relating to manufacturers of IoT devices
  • Laws relating to misuse of IoT devices

At the moment, UK law, like in most of the world, has not adapted to deal with IoT specifically. There has been some consultation around this ( 2019b), but nothing yet has been turned into even draft legislation. It seems clear that this path is heading toward legislation aimed at manufacturers of IoT devices rather than hackers looking to exploit them.

This leaves the second category, currently being served by the Computer Misuse Act (CMA). In many ways, this legislation works very well. It sets out a number of offences that cover what people generally see as bad behaviour: hacking, denial of service, etc.

The potential problems come when the law is applied in areas that are not so clear cut. For example, could the CMA be used to prosecute someone who modifies a device they own? If it gives them access to the firmware, or online services used by the device, it may qualify and is a possible route for manufacturers to protect their interests against people who tinker. It isn’t clear yet how this might be resolved if it came to court. Although this might seem a small issue, there is a very real worry that laws like the CMA could be used to prevent people from discovering security vulnerabilities. This article on car hacking (Naked Security 2015) raises some very valid concerns around similar laws in the US.

Further reading

References (2019a) ‘The Government’s Code of Practice for Consumer Internet of Things (IoT) Security for Manufacturers, with Guidance for Consumers on Smart Devices at Home’. Secure by Design [online] available from [1 October 2019] (2019b) ‘Consultation on Regulatory Proposals on Consumer IoT Security’. Closed Consultation [online] available from [1 October 2019] (1990) Computer Misuse Act 1990 [online] available from [31 July 2019]

Naked Security (2015) How a Law Making Car Hacking Illegal Could Make Us All Less Safe [online] available from [1 October 2019]

White, S. (2019) ‘Inadequate Security Sees Surge in IoT Data Breaches, Study Shows’. PrivSec Report [online] available from [1 October 2019]

© Coventry University. CC BY-NC 4.0
This article is from the free online

The Internet of Things: The Rise of Connected Devices

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education