All Internet of Things and consumer smart devices will need to adhere to specific security requirements, under new government proposals.
The aim of the legislation is to help protect UK citizen and businesses from the threats posed by cyber criminals increasingly targeting Internet of Things devices.
The proposed measures from the Department for Culture, Media and Sport (DCMS) have been developed in conjunction with the UK’s National Cyber Security Centre (NCSC) and come following a consultation period with information security experts, product manufacturers and retailers and others.
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” said Matt Warman, minister for digital and broadband at DCMS.
It is currently unclear how these rules will be enforced under any future law. While the government has said that its “ambition” is to introduce legislation in this area, and said this would be done “as soon as possible”, there is no detail on when this would take place.
Today the UK @DCMS published results of its consultation on their IoT code of practice, and announced they’re writing legislation around it. Some interesting notes from the announcement. https://t.co/kUB20n0Cm6
— Beau Woods (@beauwoods) January 27, 2020
It is predicted that the number of IoT devices worldwide will grow from 22 billion in 2018 to 38.6 billion in 2025 and this forthcoming law will a big step forward in the battle to force industry to develop the robust security standards desperately needed to protect consumers.
All hackers need is one poorly protected smart device like a fridge to gain access to the wider network. These often have an array of connected devices including smartphones and laptops which contain valuable personal information. The soundest advice for consumers is to keep private and sensitive data on a separate system to their IoT network, however this isn’t always practical.
The requirement for manufacturers to ship individual IOT devices with unique passwords is a step in the right direction. This will prevent hackers from taking advantage of customers who fail to change the default login details. Vendors will also have to make it easier for vulnerabilities to be reported which will make it easier to implement stronger protections moving forward.
Retailers and governments cannot continue to shift responsibility onto the consumer and assume they have the skills to implement appropriate digital security. IoT devices don’t have user interfaces and require deep technical knowledge to change their configuration and make them more secure. There are steps that can be taken to ensure that IoT devices are set up safely, but retailers must equip consumers with the knowledge that they need to do so effectively and continue to support them as their devices age. We are more connected than ever before and more must be done to protect consumers.
This new legislation is a step in the right direction from the UK Government. When you buy electronics, you know they won’t set your home on fire and that they won’t give your children lead poisoning due to legislation enforced by the government. The three Cyber Security rules are even more basic protections so there is no excuse for a manufacturer to put an IoT product on the market that does not comply.
While the UK government’s IoT security legislation is definitely a big step in the right direction, there are major oversights it doesn’t address:
When 1 in 10 software components downloaded by UK developers contains a known security vulnerability, increasing the occurrence of supply chain infiltration attacks, it’s not enough to just offer a point of contact to whom vulnerabilities are disclosed, or set an amount of time for providing updates. Manufacturers must ensure these components aren’t in their products to begin with.
As 90% of all applications deployed in IoT devices contain third party code from Open Source, it is important to set rules on maintaining the integrity of those pieces of code. The 90-day limit proposed in the legislation to act on reported issues is too long. Modern attacks often occur within a few days of issues being reported. Manufacturers, businesses and governments need to work together to find a way of certifying the software supply chain – like a list of ingredients used to build the product.
No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, so why should the software components in connected devices be any different? Instead, manufacturers should be able to certify that their software, and their devices, are secure at the time of shipping, and should ensure their security updates last for the mandated time. These devices are far more personal than anything else in the market, potentially putting privacy or lives at risk. Therefore, the standards governing their manufacturing should be set at a strict level.
The legislation will put further pressure on device manufacturers to act, and introduce much-needed supervision over what has been a bit of a wild west so far. However, it shouldn’t take government intervention for businesses to take responsibility and practice proper software hygiene.
Connected device security stands to benefit from well-considered legislation and guidelines, and we applaud recent activity in California, Australia, and now the UK in this area. But while these laws are a good start, we must not fall into the trap of believing that they are sufficient to address the full set of identified gaps in IoT security.
High volumes of devices with known passwords have been the root cause of large botnets and other problems, and this legislation begins addressing that need. Legislatures should go on from there to address the next tier of weaknesses, including unique passwords that are predictable or otherwise easily guessed and devices that make their password updates in unencrypted sessions.
Unfortunately, the password paradigm is fundamentally vulnerable to well-established techniques including phishing, social engineering, and credential stuffing. To get around these problems, manufacturers should consider Public Key Infrastructure (PKI) solutions, which can provide a fundamentally more trustworthy identity paradigm for devices. PKI provides unique cryptography-based access for each device with no potential for social engineering or other password attacks. PKI has stood the test of time as one of the most venerable and ubiquitous computing paradigms we have. The mechanisms, processes, and widespread platform support we have for PKI are easy to expand to the needs of connected devices.
While the government\’s announcement of new security requirements for vendors of IoT devices are a welcome first step, they fail to address the core problem. For standard forms of authentication, there are well established and scrutinised protocols such as SAML, OAuth and OIDC. IoT lacks any such standards, and the proposed regulations do nothing to ensure that the mechanisms underpinning IoT communication are secure.