A code of practice by UK Government for security of consumer IoT (Internet of Things) products has been welcomed. While voluntary, its 13 guidelines may help with compliance with data protection laws, such as the UK’s Data Protection Act 2018 and the European Union-wide General Data Protection Regulation (GDPR).
HP Inc and Centrica Hive are the first companies to sign up to commit to the code and the Government encourages other manufacturers and retailers to follow.
The Government has also published Consumer Guidance on Smart Devices in the Home, for the public, for setting up, managing and improving the security of devices.
Comments
Liviu Arsene, Senior Threat Analyst at Bitdefender, described the code of Practice for smart device makers as an important milestone for IoT security. “However, it’s not just large tech giants that must adhere to it, but all IoT manufacturers. The problem has always been low-end smart devices, as these are the ones that are usually lacking in the security area. It’s because of these that we’ve seen IoT botnets and denial of service attacks, such as Mirai. While the new Code of Practice is a step in the right direction, especially since it makes use of security best practices, similar documents and even legislation should be adopted in order to nudge IoT manufacturers into implementing security best practices into smart devices.”
John Sheehy, VP of Strategy at IOActive said it was unlikely that the industry will act upon it, given that it is voluntary. “Unfortunately, many manufacturers of these devices are more concerned with getting a minimally viable product to market than whether or not it is secure. As a result, many IoT devices expose their owners to significant risks.
“The proliferation of IoT devices with poor security posture has increased the attack surface for threat actors dramatically, and the industry’s disregard for security should be a concern for both consumers and businesses. Compromised devices can be used by threat actors for anything from listening in to conversations, harvesting sensitive data such as PII, crypto mining, and jumping to traditional IT systems.
“An additional risk to businesses comes when insecure employee IoT devices are connected to company systems or networks, meaning any compromise could lead to a disruption in business operations that could cause reputational damage and potential regulatory fines.
“A code of practice is a step in the right direction, but more needs to be done. The industry should follow best practices and self-regulate, before regulators put a static, cumbersome device security framework in place. Security must be built in from the design phase of any new connected device. It cannot be an afterthought, which only makes it more costly to the manufacturer. Until the industry takes a long-term view on cybersecurity risk or faces material financial consequences, we are likely to see things get worse before they get better.”
Andy Kays, CTO at threat detection and response firm, Redscan, said it remains to be seen what affect it will have on improving standards. “To have a real positive impact we need to ensure that there is improved cooperation on a global level and do more to help organisations prioritise security across the complete development lifecycle.
“Right now, cyber security is often last in a long list of some manufacturers’ priorities. New features and services are driving sales, not robustness. Manufacturers are selling prototypes as fully-fledged products to generate attention and get to market as quickly as possible.
“While it’s positive that some large technology companies have already announced their backing of the new code, I suspect that smaller companies may be in less of a hurry to sign up. New manufacturers and start-ups don’t have the same level of brand equity as more established organisations so they there may be a tendency for the to take bigger risks in order to get products to market – and this can mean that cyber security risks are less of a concern.
“Retailers also need to do their part in helping to protect consumers by ensuring that they choose to stock products that meet recognised security standards.”
