Despite its relatively recent inception (2008/2009), the Internet of Things (IoT) industry is one of the fastest-growing markets in the world. The number of IoT-connected devices exploded from 15.4 billion in 2015 to 75.4 billion in 2025, but smart device security wasn’t always a priority as manufacturers scrambled to release devices as quickly as possible.
From smart speakers to doorbell cameras, many consumers and their internet-connected devices are exposed to vulnerabilities and hackers.
Infamous examples include reports of a hacker talking to a young girl in her bedroom via her family’s Ring camera and a family being subjected to racial slurs after hackers took control of their Ecovac vacuum cleaner. Compromised smart devices may also be incorporated into botnets and used to collectively perform distributed denial-of-service (DDoS) attacks.
So, where in the world are smart devices most and least secure? Which countries protect consumers and smart device users through adequate legislation and labeling schemes? And which countries have the highest number of vulnerable internet-exposed devices (including cameras, printers, and smart TVs)?
To find out, we explored legislation and government IoT schemes in 178 countries to see where laws have been introduced that place minimum security requirements on IoT devices, enforce mandatory labeling schemes, and have type approval requirements before devices can enter the market. Each country was scored out of 10 with the highest scores indicating the best security for smart home devices.
We also used Shodan.io to explore which countries have the most internet-connected devices that are potentially vulnerable to hackers.
Please note: the study focuses on smart devices for consumers.
Key findings:
- Only 34 countries have legislation that is specific to smart device security
- The majority of countries (137 out of 178) scored just one point as they only require type approval of devices before they’re marketed. These include Saudi Arabia, Uruguay, and New Zealand
- Brazil (which received a score of 8 out of 10) does more than any other South American country to regulate consumer smart devices
- The top-scoring countries were those covered by the EU’s Cyber Resilience Act (all of which scored 10/10). The UK received the next-highest score with 9/10
- Taiwan (2,296), Russia (1,706), and Vietnam (1,357) had the highest numbers of internet-exposed cameras
- South Korea (3,292) and the United States (2,835) had the highest numbers of internet-exposed printers
- South Korea (49,920), Hong Kong (9,120), and Sweden (7,392) had the highest numbers of internet-exposed smart TVs
The highest-scoring countries for smart device security
The top-scoring countries for overall smart device security are:
1. The EU = 10/10
The EU achieved the highest score thanks to robust legislation that includes mandatory labeling (more on this later). The Cyber Resilience Act (CRA) requires that devices are secure by design and default, resilient against service attacks, and able to ensure the confidentiality of data. Importantly, it requires that manufacturers “provide care during the lifecycle of their products.” This applies to any device sold in the 30 countries of the European Union (EU) and the European Economic Area (EEA).
The CRA entered into force at the end of 2024, though its staged implementation means it won’t be fully applied until late 2027.
2. The UK = 9/10
The UK introduced IoT legislation via the PSTI Act 2022. The UK Product Security and Telecommunications Infrastructure (Product Security) regime, effective from 2024, requires that smart devices aren’t shipped with easily guessable passwords (or no password at all); and that consumers are told how long they will receive support (such as software updates) when purchasing a device.
Manufacturers must make it clear how security issues should be reported and how they will be handled. Proponents hope these requirements will limit the ease with which smart devices can be compromised by attackers.
The UK scored lower than the EU/EEA due to it only requiring manufacturers to address security issues for a specified time (rather than the device’s lifetime). When this time has expired, any vulnerabilities can be left unpatched – regardless of whether the device is still in use. Most people won’t be in a rush to replace a working device, which could put them at risk.
3. Brazil & Australia = 8/10
In Australia, the Cyber Security Act received Royal Assent and became Law in 2024. Subordinate legislation for IoT devices was introduced via the Cyber Security (Security Standards for Smart Devices) Rules 2025. These rules forbid default universal passwords and require that manufacturers publish a way for consumers to report security issues. Manufacturers must also specify how long the device will receive security updates.
Brazil’s Act No. 77 stipulates that manufacturers can’t use easily guessable universal passwords. They must also provide security updates for at least two years after the launch of the product and provide a way for consumers to report vulnerabilities.
Both Australia and Brazil have device labeling schemes, but these aren’t mandatory, hence the marginally lower scores.
4. The US = 7.5/10
In the US, the IoT Cybersecurity Improvement Act of 2020 covers devices acquired by the federal government. For consumer devices, however, protections differ by state. For example, California requires that devices are assigned a unique password and ship with reasonable security features such as regular updates. Oregon’s legislation differs from California’s in that it only covers devices “used primarily for personal, family, or household purposes” rather than any smart device.
America’s voluntary labeling scheme shows promise. Many retailers such as Amazon (which accounted for 40% of ecommerce sales in 2023) have said they will promote labelled products.
5. Japan, Singapore, South Korea, and Taiwan = 6/10
Several countries in Asia don’t have specific smart device legislation. Instead, they rely on consumer labeling schemes to keep manufacturers in line. This places the onus on the consumer to actively seek out compliant devices, hence the lower overall country scores.
Japan’s JC-STAR program uses a star system to indicate which devices are the most secure. Government bodies and those operating critical infrastructure may only purchase JC-STAR-compliant devices (see later in the article for more on country-specific labeling requirements). Singapore, South Korea, and Taiwan also have voluntary labeling schemes that evaluate devices against the principles outlined in ETSI EN 303 645 (more on this in the next section).
Other mentions
The UAE issued its Regulatory Policy for the IoT back in 2018. It protects consumers’ personal data by limiting what data manufacturers are permitted to collect, what they can use it for, and how long they can store it.
It also states that “Security by Design shall be incorporated in the device to provide protection against unauthorized usage”. While this is a good start, it doesn’t make clear what the security requirements are beyond “attempts” to make systems free of vulnerabilities and robust against attacks.
Which countries have smart device security labeling?
A report from the GSMA trade association has previously urged governments and policymakers to “resist the temptation to consider IoT services as traditional telecom services.” It warns that legacy regulation established before IoT became a reality will be “most often irrelevant” and potentially damaging to both consumers and businesses. Nevertheless, this legacy legislation is exactly what the majority of governments still rely on, despite it being largely ineffective.
As a stepping stone to more comprehensive IoT legislation, the World Economic Forum suggests that “in a world where security by design is limited, labeling to inform consumers is a starting point.”.
Labeling systems for other consumer goods have proven to be effective. For example, the International Energy Authority says that energy consumption labeling of the type found on domestic appliances in the US and EU is “estimated to deliver annual reductions of around 15% of their current total national electricity consumption”.
The good news here is that several countries have labelling schemes for manufacturers producing IoT products. Our research revealed that seven countries had voluntary security certification schemes, and 32 had mandatory schemes. Again, the vast majority (138 countries) had no consumer labeling requirements.
How do labeling schemes differ from type approval?
Labeling schemes differ from what is known as type approval. Type approval ensures a particular ‘type’ of product – such as a smart speaker – meets a particular country’s standards for safety, electromagnetic compatibility (EMC), and radio frequency (RF) regulations before it can be legally sold on the market. All of the smart devices that you (legally) see for sale in your country will have met these requirements.
By contrast, security labelling schemes inform consumers which IoT devices meet (or exceed) a range of security requirements, such as providing timely updates and not shipping with default passwords. Voluntary labelling schemes hope to encourage manufacturers to comply in a bid to gain a reputation for being trustworthy, thus appealing to more customers.
For example, the US launched a voluntary Cyber Trust Mark for IoT devices in 2025. This allows manufacturers to put a “US cyber trust mark” label on devices that conform to established cybersecurity criteria from the US National Institute of Standards and Technology (NIST).
Australia’s Smart Devices Cybersecurity Labelling Scheme (CLS) is also voluntary. It requires that smart devices obtain independent certification from an accredited body before being registered. Standards Australia says that the scheme will “incentivise manufacturers to address security vulnerabilities and instill product confidence in their end users.”
The problem with voluntary labeling is that only a subset of the products available to consumers are sold with these labels. As the labeled products tend to be pricier options (whose manufacturers have often invested in improved security), consumers who shop by price may never come across the labels and unwittingly end up with an insecure device.
Better, then, are the mandatory labeling schemes that form part of wider IoT legislation – such as those of Brazil and the EU/ EEA. For example, by 2027, IoT devices sold in EU member states will bear the CE mark to show that they comply with the Cyber Resilience Act.
Labels can vary between countries, though several are built on the 13 requirements for consumer smart devices set out in ETSI 303 645 (from the European Telecommunications Standards Institute). These include provisions such as “no universal default passwords”, “minimize exposed attack surfaces,” and “keep software updated.”
Labeling systems sharing a common foundation make it easier for governments to establish a Memorandum of Understanding with one another so that labels in one country are recognised in another. For example, Singapore’s scheme is recognised by Finland, and vice versa. South Korea has also signed an MoU with Singapore.
Despite positive progress in the above countries, the majority of consumers still lack the information needed to make informed decisions when purchasing IoT devices. That’s not to say customers aren’t aware of smart device vulnerabilities, however. A survey carried out by the World Economic Forum asked users how confident they felt that smart devices were protected against cyberattack. It found that almost half (47%) felt “not too confident,” with a further 26% feeling “not confident.”
Which countries have the most vulnerable smart devices?
Internet-connected devices without appropriate security are easy targets for hackers. Some smart devices rely on outdated protocols or don’t receive updates despite known vulnerabilities. Others use default passwords that are easily discoverable.
The following are examples of searches an attacker might make when trying to find IoT devices they can easily compromise.
Cameras
We used the Shodan search engine to identify Internet-connected cameras. We looked for devices with port 554 open as this is typically used by security and surveillance cameras with RTSP streaming enabled. RTSP (Real-Time Streaming Protocol) controls the delivery of media streams, typically over RTP.
When port 554 is exposed to the internet, attackers can attempt automated logins using default or weak credentials. Successful logins may allow attackers to control the camera, access its video feed, or recruit it into a botnet.
In total, we found 17,528 vulnerable cameras. The highest numbers were in Russia (1,706), Vietnam (1,357), and Taiwan (2,296). Out of these three countries, only Russia lacks consumer IoT legislation and labeling requirements, meaning older devices will likely be replaced with similarly insecure devices and perpetuate the problem.
Some of the examples we found of insecure internet-facing cameras include one pointing at the desk of what looks like a pharmacy, with the computer monitor and card machine in full view (note: we’ve intentionally blurred the image).
Another shows a day-care centre for children (again, we’ve intentionally blurred the image. We also cropped it as the name of the centre was displayed).
Another shows somebody’s backyard (also intentionally blurred).
Printers
Next, we looked for printers that were exposed to the internet via multiple open ports; namely, port 515, 9100, 631, and 80.
In all, we found 10,522 printers exposed to the internet via the ports mentioned above. By far the most were in South Korea (3,292) and the US (2,835).
Port 515 is used for the Line Printer Daemon (LPD) protocol, a legacy network printing system that has unencrypted and unauthenticated transmissions. This makes it easy for anyone on the network to intercept print jobs and even view sensitive documents.
Port 9100 can enable remote printing without authentication. In 2018, thousands of printers started churning out requests to subscribe to YouTuber PewDiePie’s channel after attackers took advantage of devices with port 9100 open. Other attacks have also exploited port 631.
Port 80 can allow attackers to access the printer’s web interface via HTTP. For example, this is the web interface of a printer in Argentina. None of the features appears to be password-protected, thus potentially providing attackers with a way into the network.
Smart TVs
To get an idea of which smart TVs were potentially vulnerable, we looked for internet-facing devices running the Samsung Tizen operating system (which is primarily used on Samsung Smart TVs) or the LG webOS operating system (used in LG smart TVs).
Note: devices running operating systems such as Apple’s tvOS, Vizio’s SmartCast and the Roku OS aren’t exposed to the public Internet by default, which is why we haven’t included them.
In total, we found 91,788 exposed devices. South Korea had the most by far with a total of 49,920. Hong Kong (9,120), Sweden (7,392), Finland (6,661), and the US (6,081) also had large numbers of potentially susceptible devices.
Exposed information included the device name (e.g. “Living room”), and model information that could be used to identify the specific model of smart TV and its associated vulnerabilities; the unique device identifier, which could be used to target the device specifically; and the device’s MAC Address, which could be used to identify the device on a local network or to spoof it.
Smart TVs that haven’t been updated are vulnerable to any identified flaws in previous versions of their operating systems. For example, versions 4 through 7 of LG webOS have flaws that can allow attackers to bypass authorization mechanisms and gain root access to the device.
An ongoing threat
As the global IoT market continues to grow, devices across Europe will become more secure thanks to a combination of consumer education and legislation. But consumers purchasing smart devices remain exposed to insecure devices and a lack of detailed information on their purchases.
No countries in Africa, for example, have labeling schemes or applicable legislation. At the moment, IoT uptake on the continent is still relatively low – hence the reduced instances of internet-exposed devices. However, analysts suggest that in sub-Saharan Africa, licensed cellular IoT connections “will nearly double between 2023 and 2030, from 27 million to 51 million.”
The temptation may be for manufacturers to target any unregulated countries with devices that lack adequate security (as they’re cheaper to produce). Alternatively, the existence of legislation in key existing markets might be enough to normalize the manufacture of secure devices. This more optimistic view is certainly the preferable outcome. After all, just because a particular country has secure IoT devices, it doesn’t make it immune to a botnet made up of compromised devices in another country.
Tips for boosting your smart device security
There are several recommendations for improving smart device security – none of which are particularly arduous.
- Change the default settings. Some devices ship with easily guessable passwords that should be changed to something more secure. The UK’s National Cyber Security Centre suggests using three random words. Turn on two-step verification if available.
- Disable unused features. If you don’t need remote access, turn it off. Disabling the ability to order things using a voice assistant can be a good idea if you have children (or parrots).
- Keep the device’s firmware updated. This may happen automatically, depending on the device. Check with the manufacturer if you’re unsure. If the device no longer receives updates, consider replacing it.
- Choose a device that has security labeling (the examples below show the logos for the US and Japanese schemes).
Methodology & Sources
We used seven categories to score each country out of 10. A lower score indicates less smart device security than a higher score.
In practice, the issue isn’t quite as cut and dry as the scores might indicate. As we’ve mentioned, legacy telecoms legislation can be called into play. Arguments could also be made for the application of existing computer-based legislation to IoT devices.
We started by looking at which of the 178 countries under consideration had enacted specific smart device legislation. Those with legislation received 2 points (the US received 1.5 points as it has legislation in two states and for government devices but not a blanket law covering ALL smart devices manufactured in the country). Those that were partway through the legislative process received one point. Those with some laws protecting IoT devices received 0.5 points. This applies to China, which has legislation for specific devices such as children’s watches and smart locks, but doesn’t provide clear protections for consumer smart devices more generally. Frameworks suggesting future legislation and those with no legislation at all received 0 points.
We also checked which countries had labeling schemes for device manufacturers. We gave 2 points to those which had mandatory schemes and 1 point to those with voluntary schemes.
For the countries with legislation or labeling requirements, we looked at whether they prohibited devices being shipped with universal passwords (if the answer was ‘yes’, they received 1 point). We then looked at whether they required manufacturers to provide security updates for the lifetime of the smart device. Those that did received 2 points, while those with limited time frames received 1 point.
Next, we looked at whether legislation required manufacturers to provide a means for consumers to report security issues (1 point if ‘yes’), and whether the legislation was based on international standards such as ETSI EN 303 645, NIST IR 8259, or NIST IR 8425 (1 point if ‘yes’).
Finally, we checked which countries had a type approval process for IoT devices (1 point if ‘yes’). All the countries we looked at had some form of type approval for IoT devices, which include requirements for demonstrating their electrical and mechanical safety. Some accept FCC-approved devices. Although type approval doesn’t specifically relate to device security, it was included to demonstrate that the IoT market isn’t completely unregulated.
For a full list of sources, please request access here (adding your name and job title/interest).
