- Security TWENTY
- Women in Security Awards
The UK Government says it’s planning a law that smart devices – such as smartphones, smart speakers, smart watches, and door bells – meet cyber security requirements. Among what’s proposed by the DCMS (Department for Digital, Culture, Media & Sport) is that customers must be told at point of sale how long a smart device will receive security software updates.
Tech manufacturers such as Apple, Samsung and Google won’t be supposed to use universal default passwords, such as ‘password’ or ‘admin’, that are pre-set in a device’s factory settings and are easily guessable by hackers; and manufacturers will be required to provide a public point of contact for anyone to report a vulnerability.
The UK Government says it intends to introduce legislation as soon as parliamentary time allows. The DCMS points to research by the consumer rights body Which?, that found a third of people kept their last phone for four years, yet some brands only offer security updates for a little over two years; leaving the handset vulnerable to cyber threats.
At DCMS, Digital Infrastructure Minister Matt Warman said: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems. We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.
“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”
And at the UK official National Cyber Security Centre (NCSC), Technical Director Dr Ian Levy said: “Consumers are increasingly reliant on connected products at work and at home. The covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough.
“DCMS’ publication builds on the 2018 Code of Practice and ETSI EN 303 645 to clearly outline the expectations on industry. To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now. It is also important to support uptake of good practice and provide industry with opportunities to innovate. I’m pleased to see the pilots, funded by DCMS, begin to test ways in which customers will be able to gain confidence in the security of these devices.”
Lead author Dr Saheli Datta Burton (UCL STEaPP) said: “We as consumers need to be more demanding about the safety and security of fitness devices that are increasingly becoming a part of our daily lives. It’s important we know who else can read our information, how it’s being processed, whether the readings can be changed to cause harm and what manufacturers and regulators are doing to protect us.
“It’s also important that we understand what the margin of error is when fitness trackers read our data, for example when they monitor our heartbeat. These are unlikely to be as accurate as more heavily regulated medical devices and could pose a safety risk.”
Rocio Concha, director of policy and advocacy at Which?, said: ‘New laws to tackle this issue are a crucial step as there are a vast array of connected devices with security flaws, many of which are currently on the market, that put consumers at risk from cyber criminals. We share the Government’s ambition to make the UK one of the safest places in the world for consumers to use smart technology and this must be backed up by strong enforcement, ensuring people can get effective redress when they purchase devices that fail to meet security standards and leave them exposed to data breaches and scams.’
Jake Moore, the Cybersecurity Specialist at ESET, said: “General security remains below par for many smart devices available which possess a huge risk to consumers who often purchase these devices in blind faith with the assumption they will be protected. Unfortunately, many products are still created with no security in mind due to cost savings or a lack of awareness. As more people rely on these devices with more services now online, it is imperative that these are shipped with not only the right security on board but with the promise of continued support due to the fast evolving threat landscape.
“This new law will force the big technology firms into complying with these standards but there will inevitably remain a number of smart products on the market and second hand sites which will fall well below the standard we would expect and include potential risks. It is vital that consumers understand the reasons behind this proposal and are equipped with the knowledge themselves in how to keep their devices secure by using unique passwords and multi factor authentication from the outset.”
And George Daglas, Chief Operating Officer, Obrela Security Industries said: ““Easy-to-guess passwords are one of the most common ways for cybercriminals to gain access to IoT devices, but the problem is also one of the easiest to fix. It just takes some user education and pressure on IoT vendors to take extra security steps, and this is the approach the UK government seems to be taking. This new law is a positive move, but considering California implemented similar legislation all the way back in 2018, some might say it is a bit late.
“IoT vendors will now be forced to apply security measures into the development stages of products, rather than bolting them on at the end or leaving users to optionally apply them. This is long overdue, particularly considering that smartphones are now one of the primary ways consumers shop and bank online. Overall the move will make it harder for cybercriminals and safer for consumers.”