Following the news that the Public Accounts Committee has advised that the UK government should introduce a kitemark system for electronic devices, please find comment below from Jim Phillipoff, Head of Business Development, Irdeto and SecureData’s Chief Security Strategy Officer, Charl van der Walt.
Jim Phillipoff, Head of Business Development, Irdeto:
“As the UK consultation on the proposed consumer IoT security laws closes, it’s great to see the UK government recognising that tougher laws are needed to not only secure the devices we’re putting in our homes and businesses, but also restore trust in the IoT.
“Unfortunately, more often than not, the reality is that security is still seen as an afterthought rather than a key component in an IoT product’s design. Whilst understanding of the importance of security amongst manufacturers is undoubtedly increasing, there’s more work to be done to make them accountable for the connected devices they produce. The new labelling system included in the announced legislation offers a great solution to this issue.
“The results of the consultation remain to be seen, but one particular clause, that focuses on the need for manufacturers to communicate how long security updates would be made available after purchase, has really stood out. New research by Irdeto found that 19% of global IoT device manufacturers offer security updates, but state it’s up to the customer to apply them, with just over three in ten no longer updating the devices they manufacture once they have passed their warranty. It’s imperative that manufacturers move away from the traditional “build, ship and forget” mindset and ensure consumers are aware of the need to update and upgrade the IoT devices they are using.
“With high-profile threats continuing to dominate headlines, and smart home security now top of mind for many consumers, the new proposed laws are definitely a big step in the right direction.”
Charl van der Walt, Chief Security Strategy Officer, SecureData:
“The proposed follow-on legislation to add further safeguards to consumer devices is promising news, but can only be the start. I like the idea of kitemarking consumer devices to tell end-users how secure a product is. It’s a great driver of behaviour for vendors to put a more conscious effort into security and ensure devices are compliant, rather than doing just the minimum required to comply with prescribed standards. Arguably it was this kind of consumer pressure that forced the turn-around in security at Microsoft in 2002. But frankly, this is meagre start. Technically, the controls required barely touch on the basics that are considered best practice for desktop or servers.
“Consumers and industry alike have become obsessed with connecting things to the internet that we never had to connect before. Every time we do so, it comes with inherent risks that simply aren’t considered and can never be completely controlled. The best security in the world can only partially mitigate any risk associated with connectivity. For consumer technologies, this is an even bigger problem. So why do we need to do it at all? Do we need our fridge and toaster connected to an app or our phones? We’ve survived for this long without it, so considering the risks to our privacy and security, does it really add that much value to us? Why not go analogue?
“This said, the fact that the government has put together this proposed legislation sees the wider consumer market far more protected than it was before. These new rules will help ensure that consumers are better protected from cyber-attackers looking to hack devices to steal their personal data, spy on them or remotely take control of them in order to misuse them. This is a good start, but there is definitely a long way to go in ensuring that security works for people, rather than companies passing the buck. Consumers should remain wary of connected devices, as the more devices they have only increases the amount of doors attackers can get through. A good first step is to keep their privacy settings on these devices as stringent as possible, in order to keep their data and personal information as secure as they can.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.