What should industry have to do to ensure consumer smart devices meet a basic level of security? So asks the Department for Digital, Culture, Media and Sport (DCMS) as it goes out to consultation on regulatory proposals for consumer Internet of Things security.
Such products include ‘smart’ TVs, toys and appliances. The Government is proposing that retailers will only be able to sell Internet of Things (IoT) items with a security label. The label would be launched as a voluntary scheme to help consumers tell apart products that have basic security features and those that don’t. As the consultation document stresses, the Conservative Government would prefer ‘an approach whereby industry self-regulate to address these issues’, but would ‘consider regulation where necessary’.
Digital Minister Margot James said: “Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk. Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought. These new proposals will help to improve the safety of Internet connected devices and is another milestone in our bid to be a global leader in online safety.”
At the official National Cyber Security Centre (NCSC) Technical Director Dr Ian Levy said: “Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers. This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.”
The consultation closes on Wednesday, June 5.
The proposed basics would cover:
– IoT device passwords must be unique and not resettable to any universal factory setting.
– Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
– Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
These and other things are set out in the UK Government’s voluntary Secure by Design Code of Practice for consumer IoT security as launched last year. For the consultation document, visit the Government’s Secure by Design pages.
Comments
Paul McEvatt, Senior Threat and Intelligence Manager at Fujitsu EMEIA called it ‘a necessary step’. He said: “As an increasing array of products become reliant on smart technology, consumers are going to rely on businesses to ensure their data is protected. And as cyber-criminals become more and more sophisticated, these regulations will ensure all businesses are making an active effort to prevent cyberattacks.
“Organisations play a fundamental role in protecting the data and privacy of their customers and they must work on the basis that cyber-criminals are willing to exploit every avenue possible to try and successfully breach environments. By adopting a privacy and ‘security by design’ approach, IoT manufacturers can ensure they adequately protect their customers, providing them with a level of assurance and confidence when purchasing their products. The new regulations are a significant step towards smart products being safer and more secure so that consumers need not worry about their data being stolen or their networks being breached. Now, businesses must make it their priority to ensure they are complying with them.”
David Orme, Senior Vice President at IDEX Biometrics describe it as ‘very much a short-term solution to what is becoming an increasingly urgent security problem’. As more and more devices are being connected through IoT, he said a higher level of authentication is required to protect connected devices vulnerable to hackers; security measures, such as passwords are no longer enough on their own.
“Manufacturers of IoT devices must look to incorporate biometric fingerprint authentication, so device owners can be safe in the knowledge that any orders have been authenticated only by them, mitigating malicious intent. One way of doing so is for banks and IoT manufacturers to work together, to integrate NFC PoS systems into IoT devices, so users can simply present their biometric smart payment card to authenticate orders with their fingerprint.
“Biometric data stored in this smart card is virtually impossible for criminals to hack or intercept, and impossible for anybody that isn’t the card owner to replicate. The only person who can authenticate an action, permission or transaction, where biometrics are involved is the person whose fingerprint is held as a record on the device.”
David Emm, principal security researcher at Kaspersky Lab UK, welcomed the proposal. “Smart versions of products that have never traditionally been connected, such as baby monitors and televisions, have been available to buy for some years now, while remaining vulnerable to cyber-attacks due to the failure of many companies to build in security at the design stage when developing smart devices.
“Having an industry standard requirement, that all connected products must adhere to, would make all items available to purchase much safer when used in homes across the country. The labelling system that is proposed can only enhance this, allowing consumers to easily check if smart devices are compliant. This a very positive step in making sure consumers are safeguarded, and much better equipped, than they have ever been before. For too long there has been a neglectful attitude towards customer protection, and with billions upon billions of connected devices operating everyday around the world, it’s reassuring to see that action is finally being taken.”
