Consumer smart devices sold in the UK will have to meet security requirements for the Internet of Things (IoT), says the Department for Digital, Culture, Media and Sport (DCMS).
At the DCMS, Digital Minister Matt Warman said: “We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology. Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
Proposed, as developed with the UK official the National Cyber Security Centre (NCSC), is that consumer internet-connected device passwords must be unique and not resettable to any universal factory setting; manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner; and that manufacturers must state the minimum time the device will receive security updates at the point of sale, in store or online.
As the DCMS says, billions of internet-connected devices, such as televisions, cameras, home assistants and their associated services, are around. UK government launched a voluntary Secure by Design Code of Practice for consumer IoT security in 2018.
Comments
Fennel Aurora, security adviser at cybersecurity company F-Secure called it a step in the right direction. “When you buy electronics, you know they won’t set your home on fire and that they won’t give your children lead poisoning due to legislation enforced by the government. The three cyber security rules are even more basic protections so there is no excuse for a manufacturer to put an IoT product on the market that does not comply.”
Jake Moore of anti-virus firm ESET said: “Long has there been a standoff between security professionals and manufacturers battling it out over the protection of customers and their gadgets, so if the government muscle in on the action it could just be the answer we have been fighting for. Unique passwords are more important than most people tend to realise, so this simple yet effective ‘security by design’ move will add an instant layer of protection without the user having to think. Security doesn’t have to be difficult, but it is far more successful when the user is obliged to protected themselves by design.”
Stuart Sharp, VP of solution engineering at the Multi-Factor Authentication (MFA), identity and access management product company OneLogin welcomed the announcement as a first step, but said it failed to address the core problem. “For standard forms of authentication, there are well established and scrutinised protocols such as SAML, OAuth and OIDC. IoT lacks any such standards, and the proposed regulations do nothing to ensure that the mechanisms underpinning IoT communication are secure.”
Alan Grau, VP of IoT at web security company Sectigo, says: “Connected device security stands to benefit from well-considered legislation and guidelines, and we applaud recent activity in California, Australia, and now the UK in this area. But while these laws are a good start, we must not fall into the trap of believing that they are sufficient to address the full set of identified gaps in IoT security.
“High volumes of devices with known passwords have been the root cause of large botnets and other problems, and this legislation begins addressing that need. Legislatures should go on from there to address the next tier of weaknesses, including unique passwords that are predictable or otherwise easily guessed and devices that make their password updates in unencrypted sessions.
“Unfortunately, the password paradigm is fundamentally vulnerable to well-established techniques including phishing, social engineering, and credential stuffing. To get around these problems, manufacturers should consider Public Key Infrastructure (PKI) solutions, which can provide a fundamentally more trustworthy identity paradigm for devices. PKI provides unique cryptography-based access for each device with no potential for social engineering or other password attacks. PKI has stood the test of time as one of the most venerable and ubiquitous computing paradigms we have. The mechanisms, processes, and widespread platform support we have for PKI are easy to expand to the needs of connected devices.”
Likewise David Orme, SVP at IDEX Biometrics ASA welcomed the proposal, but added that greater authentication methods are required to truly secure connected devices. “Rather than relying on passwords alone, manufacturers of smart goods must look to include biometric fingerprint sensors into connected devices themselves and keep the user’s digital identity locally stored in a secure element, not in a central database. The only person who can authenticate an action, permission or transaction, where biometrics are involved, is the person whose fingerprint has been directly enrolled on to the device itself. This means locally-stored biometric data is virtually impossible for criminals to hack or intercept.
“Biometrics can then be used to authenticate transactions initiated via connected devices to ensure kids or friends aren’t ordering goods on your behalf without your knowledge. Biometric authentication will also end the concerns people currently have about the implications of devices being lost, stolen or even hacked. Using biometrics to authenticate smart devices gives users the confidence to enjoy a truly personalised and secure IoT experience.”
