The UK government has announced plans for new laws which aim to protect IoT devices from cyberattacks. Digital Minister Margot James unveiled the measures today in a bid to slow the huge growth in attacks targeting connected devices.
In a press release, James wrote:
“Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk. Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.
These new proposals will help to improve the safety of Internet-connected devices and is another milestone in our bid to be a global leader in online safety.” Currently, the proposals are in consultation. One measure would require manufacturers to label how secure their products are – shaming those who don’t take security as seriously as they should.
Laws will also enshrine the ‘Secure by Design’ guidelines to require:
- IoT device passwords are unique and not resettable to a factory default setting.
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
- Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
Unchanged default passwords are one of the biggest causes of hacked devices. Cheap IP webcams are especially prone to compromise, with some websites listing the feeds of all devices where the user has left the default password.
Dr Ian Levy, Technical Director of the National Cyber Security Centre (NCSC), commented:
“Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers. This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.”
Following the consultation, the labels will initially rollout as a voluntary scheme. This gives the chance for device manufacturers who are confident in their security to stand out from rival products.
Julian David, CEO of techUK, said: “TechUK welcomes the publication of the Government’s consultation on regulatory next steps for consumer IoT. This follows the Government’s voluntary Secure by Design Code of Practice for consumer IoT security launched last year, which techUK supported. The Code advocates for stronger cybersecurity measures to be built into smart products right from the design stage.
We are pleased that the security requirements outlined in the consultation are consistent with the Secure by Design Code of Practice and key industry standards that already exist for consumer IoT devices. This is an important first step in creating flexible and purposeful regulation that stamps out poor security practices, which techUK’s research shows can act as significant barriers on the take-up of consumer IoT devices.
The proposals set out have the potential to positively impact the security of devices made across the world and it is good to see the Government is working with international partners to ensure a consistent approach to IoT security. techUK looks forward to responding to this consultation on behalf of our members.”
The government proposals have been launched a day after Margot James held a roundtable on IoT security. Global technology giants including Amazon, Philips, Panasonic, Samsung, Miele, Yale, and Legrand were involved with the roundtable. As a result, each of the companies has committed to ensuring their products meet security requirements. The UK government is now working alongside its global partners to promote these IoT security standards around the world.