The UK Government proposes a law for a cyber security standard for consumer smart products sold in the UK. The Department for Digital, Culture, Media and Sport (DCMS) supported on the technical side by the National Cyber Security Centre (NCSC), has issued a ‘call for views‘.
A standard would first require that products – such as smart speakers, kitchen appliances or cameras – meet three requirements, which may be added to. The three are:
– Device passwords must be unique and not resettable to any universal factory setting;
– Manufacturers must provide a public point of contact so anyone can report a vulnerability;
– Information stating the minimum length of time for which the device will receive security updates must be provided to customers.
The world already has billions of ‘smart’ devices – known as the Internet of Things (IoT) – in use. But few manufacturers embed even the most basic approaches to cyber security in their products, making people’s privacy and security at risk from cyber hacks through security vulnerabilities in devices bought on the global market, according to the DCMS.
The UK Government published a code of practice for consumer IoT security for manufacturers in 2018. Last month DCMS and the NCSC also played a part with the global standards body European Telecommunications Standards Institute (ETSI) to develop a first major international standard for the security of smart devices.
DCMS Digital Infrastructure Minister Matt Warman said: “This is a significant step forward in our plans to help make sure smart products are secure and people’s privacy is protected. I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products.”
People should meanwhile change default passwords on their smart devices and regularly update software to help protect themselves from cyber criminals, is the official advice.
The call for views also sets out the scope of the rules, what industry would need to do to comply with the new laws and an overview of industry guidance to be produced, as well as information on potential powers granted to an enforcement body. These could include powers to:
– Temporarily ban the supply or sale of the product while tests are undertaken;
– Permanently ban insecure products, if a breach of the regulations is identified;
– Serve a recall notice, compelling manufacturers or retailers to take steps to organise the return of the insecure product from consumers;
– Apply to the court for an order for the confiscation or destruction of a dangerous product; Issue a penalty notice imposing a fine directly on a business.
For the call for views visit – https://www.gov.uk/government/publications/proposals-for-regulating-consumer-smart-product-cyber-security-call-for-views.
Comments
Rocio Concha, Director of Advocacy at the consumer campaign group Which?, said: “Which? has repeatedly exposed popular connected devices with serious security flaws that fall well short of agreed voluntary standards, and leave consumers at the mercy of cyber criminals – so new laws to tackle this issue are an important step and can’t come soon enough.
“Legislation, which must be backed by strong enforcement, should be introduced as soon as possible. In the meantime, retailers and online marketplaces must do more to prevent blatantly unsecure products being sold and manufacturers need to be more proactive at addressing security issues with their products.”
David Kennefick, product architect at Edgescan, welcomed what’s proposed. He said: “The benefits here outweigh the inconvenience of shipping devices with unique passwords or forcing a password reset change during setup. There is a long trend of IoT devices being used in malicious attacks. Not just IoT, but default credentials in general have been the root cause which has enabled so many attacks to take place.
“In 2016 the Mirai malware knocked nearly one million Deutsche Telekom (DT) customers routers offline. The underlying attack vector there was default credentials and an unnecessarily exposed telnet service. In 2019, IoT devices have apparently not changed much since the 2016 outbreak, as Telestar Digital have had nearly the exact same scenario happen but have not had their customers devices taken offline. The default password for the IoT radio devices from Telestar Digital was ‘password’.”
And Kiri Addison, Head of Data Science at email and web security product firm Mimecast said: “IoT products continue to grow in popularity, with more and more of the UK public having devices inside their homes. Despite this popularity, there is too often a lack of education around the security issues that these devices can present. It is now widely known that many IoT devices, such as smart cameras, lack basic security and are vulnerable to hacking, and we have all seen the news stories surrounding this. This has become even more pressing with more employees working from home, which could lead to more IoT devices connecting to corporate networks and providing a way in for hackers. Therefore, it is positive to see the government planning further legislation designed to make these devices more secure.”
