The government has proposed a new law that it hopes will help protect millions of Internet of Things (IoT) smart device users from cybercriminals.
IoT device security has long been a concern among industry experts for some years. Research shows there are now 20 billion IoT devices in use around the world. But with only around 13 percent of manufacturers embedding even the most basic approaches to cyber security in their products, people’s privacy and security is at risk.
The new proposals, drawn up by the Department for Digital, Culture, Media and Sport (DCMS) and supported by the technical expertise of the National Cyber Security Centre (NCSC), aim to raise the security standard for all consumer smart products sold in the UK.
The standard will initially ensure devices adhere to three requirements. These are that device passwords must be unique and not resettable to any universal factory setting; manufacturers must provide a public point of contact so anyone can report a vulnerability; and information stating the minimum length of time for which the device will receive security updates must be provided to customers.
The government describes the move as “a significant step towards bringing robust security requirements for consumer smart products, such as smart speakers, kitchen appliances or cameras, into law”. It added that it is part of its ambition to make the UK the safest place to be online.
New powers
The government said new powers could include the ability to temporarily ban the supply or sale of the product while tests are undertaken or permanently ban insecure products if a breach of the regulations is identified. They could also serve a recall notice, compelling manufacturers or retailers to take steps to organise the return of the insecure product from consumers.
In addition, they could apply to the court for an order for the confiscation or destruction of a dangerous product and issue a penalty notice imposing a fine directly on a business.
The government said it will be looking for industry, academics and consumer groups to feed back on the plans.
In a statement, Digital Infrastructure Minister Matt Warman described the move as “a significant step forward” in the government’s plans to make sure people’s privacy is protected.
If you liked this content…
“I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products,” he said.
Weak points
Consumer smart products can be the weak points of entry for hackers looking to breach someone’s home network and owners are often unaware that the default passwords or outdated software which can come as standard on a new device can lead to a range of harms, including the invasion of privacy, fraud or even physical harm.
Insecure smart devices also enable more widespread and destabilising cyberattacks on infrastructure and services. In the 2016 Mirai botnet attack, hackers gained access to thousands of IoT products through common default passwords to launch an attack that overwhelmed servers leaving much of the internet inaccessible on the US east coast.
“People are at risk because fundamental security flaws in their connected devices are often not fixed – and manufacturers need to take this seriously,” said National Cyber Security Centre technical director Dr Ian Levy.
“We would encourage all consumer device manufacturers to make their views heard and help us ensure the technology people bring into their homes is as safe and secure as possible.”
Tackling the problem
The government says it already attempted to tackle the problem of IoT security in 2018 when it published a code of practice for consumer IoT security for manufacturers.
Last month DCMS and the NCSC announced its collaboration with global standards body European Telecommunications Standards Institute (ETSI) to develop the first major international standard for the security of smart devices. This, it says, will help protect consumers around the world from falling victim to cyber hacks through security vulnerabilities in devices.
British Retail Consortium assistant director Graham Wynn said the organisation “welcome practical proposals from the government based on the three rigorous requirements to ensure that consumers’ safety and privacy are protected.”
Elsewhere, techUK CEO Julian David added that poor security practices “have consistently slowed the adoption of these devices, acting as a barrier to UK citizens reaping the benefits of the latest innovations and products.”
