Consumer IoT devices are generally assumed to lack adequate default security, thus requiring user action. However, it may not be immediately clear to users what action to take and how. This uncertainty begs the question of what the minimum is that the user-base can reliably be asked to do as a prompt to secure their devices. To explore this question, we analyze security actions advocated at a national level and how these connect to user materials for a range of specific devices. We identify four pieces of converging advice across three nation-level initiatives. We then assess the extent to which these pieces of advice are aligned with instruction materials for 40 different IoT devices across five device classes (including device manuals and manufacturer websites). We expose a disconnect between the advice and the device materials. A stunning finding is that there is not a single assessed device to which all four top pieces of converging advice can be applied. At best, the supporting materials for 36 of the 40 devices provide sufficient information to apply just two of the four pieces of advice, typically the installation and enabling of (auto)updates. As something of a contradiction, it is necessary for a non-expert user to assess whether expert advice applies to a device. This risks additional user burden and proxy changes being made without the proposed security benefits. We propose recommendations, including that governments and researchers alike should declare their own working models of IoT devices when considering the user view.

翻译：消费级物联网设备普遍被认为在默认状态下缺乏足够的安全性，因此需要用户采取措施。然而，用户可能并不清楚该采取何种措施以及如何操作。这种不确定性引发了一个问题：为了提示用户保护其设备，能够可靠地要求用户群体执行的最低限度操作是什么？为了探究这一问题，我们分析了国家层面倡导的安全行动，以及这些行动如何与一系列特定设备的用户材料相关联。我们识别出三项国家级倡议中共通的四条建议。随后，我们评估了这些建议与五大类共40种不同物联网设备（包括设备手册和制造商网站）的指导材料之间的符合程度。结果显示，建议与设备材料之间存在脱节。一个惊人的发现是，在所评估的设备中，没有任何一台能同时应用全部四条最共通的建议。在最理想的情况下，40台设备中有36台的辅助材料提供了足够的信息来应用其中两条建议，通常是安装和启用（自动）更新。矛盾的是，非专家用户需要自行评估专家建议是否适用于其设备。这可能导致用户额外负担以及在没有预期安全效益的情况下进行代理修改。我们提出建议，包括政府与研究人员在考虑用户视角时，应明确界定其自身的物联网设备工作模型。