Internet-connected toys as well as voice-controlled devices top the wish lists of consumers looking to fill their stockings with so-called Internet of Things (IoT) devices this holiday season.

However, security of these inherently non-secure devices is taking something of a back seat to the growing enthusiasm to own them, according to a recent survey of more than 1,000 US adults.

The survey, conducted this November by Keeper Security, found that nearly three in four millennials in the 25-34 age range are not even aware that these devices arrive from most manufacturers with simple, pre-set default passwords. Some 65% of these millennials, who are the most active buyers of IoT devices, are not aware of the rising tide of concern around IoT device security. And the same percent – 65% – of millennials say they don’t take evaluation of security of IoT devices seriously.

Security alarms sound

“These findings should set off concerns regarding the overall security of IoT devices, given the huge growth numbers expected for this hot device segment,” says Darren Guccione, CEO and co-founder of Keeper security.

Reliable estimates hold that there will be some 8.4 billion IoT devices in use by the end of 2017, up a full 31% over last year. At that time consumer applications will represent 63% of total IoT applications, including ‘things’ like smart TVs, remote controlled thermostats; home security systems; streaming security cameras; remotely accessed auto sensors; fitness monitors, and of course internet connected toys.

Other key findings in the IoT consumer survey include:

  •   Nearly a quarter or 243 of those surveyed already own at least one IoT device. Of these 61% own 1-2 devices; 25% own 3-5 devices; and nearly 9% own 10 or more.
  •   More than one in five (21.6%) of Internet connected devices are abandoned because their owners forgot their passwords.
  •   One third of millennials (ages 25-34) who plan to purchase IoT devices this holiday season plan to purchase Internet connected toys and games.
  •   Half of millennials who own IoT devices neglect to change the pre-set passwords on those devices. Only 8% of these people use a password manager, many of which are free of charge. Overall about 11% of those who own IoT devices use a password manager. Respondents planning to purchase voice controlled IoT devices and wearable devices such as fitness monitors are more likely to choose using a password manager.
  •   Of the 142 consumers sampled that plan on buying one or more IoT devices this holiday season, a quarter will spend less than $100, mostly on toys; by contrast nearly half of those owning 10 or more IoT devices plan on spending $500 or more, often on security systems.
  •   Nearly 53% of IoT devices respondents intend to purchase are toys; 23.6% are wearable devices; 22.4% are home security devices; and 22.4 are other home devices such as thermostats or vacuums.

The survey also found very little difference between men and women when it comes to IoT device ownership, although more men than women today own six or more IoT devices.

Not just any toy

Be they toys or sensors, poorly secured IoT devices can become a gateway to cyber disaster. A year ago hackers using a simple technique easily broke into more than 100,000 IoT devices, including security cameras, baby monitors, and others. They created a large botnet—a centrally controlled, infected network of internet-connected devices. They then used the botnet to launch a distributed denial-of-service attack on a major Internet backbone company, rendering millions of people and businesses without service.

Also, according to the 10th annual Verizon Data Breach Investigations report, 81% of hacking related breaches involved stolen or weak passwords.

Passwords key to IoT security

Given that most IoT devices arrive with simple, factory-preset passwords, the single most important security measure to take with a new device is to change the password. And this should be done using commonly accepted password best practices, including the following:

  •   Consider downloading and using a free password manager. These simple to use solutions randomly generate tough-to-hack passwords for all devices (or Websites for that matter), and you the user do not need to remember them.
  •   Never share your passwords with other individuals.
  •   Don’t use the same passwords on different devices.
  •   Never use your network name as a password.
  •   Avoid using words in passwords that can be found in a dictionary.
  •   Never write down and store passwords in plain view.

“Hackers and cyber-thieves usually follow the path of least resistance to break in,” Keeper’s Guccione says. “Our data in this survey clearly shows an ongoing lack of attention to detail and good password hygiene as it relates to IoT devices. Hackers know that, and consumers need to be aware that they know.”