The UK government plans to introduce laws designed to help protect IoT devices following a pandemic-induced surge in sales.
With more people spending time at home for both work and play, many have invested in smart devices to become more productive and make their lives easier. In fact, figures (PDF) commissioned by the government suggest that almost half (49%) of UK residents have purchased an IoT device since the start of the pandemic.
Dr Ian Levy, Technical Director of the National Cyber Security Centre, said:
“Consumers are increasingly reliant on connected products at work and at home. The Covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough.
DCMS’ publication builds on the 2018 Code of Practice and ETSI EN 303 645 to clearly outline the expectations on industry. To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.”
The rapid adoption of IoT devices – combined with their often poor security – have made them key targets for hackers.
We’ve already seen cases of IoT devices with microphones and cameras hacked for blackmail and fraud, and devices being added to botnets like Mirai and Mozi to carry out devastating DDoS attacks which have taken services offline that people are relying on more than ever.
In 2019, F-Secure Chief Research Officer Mikko Hyppönen warned that IoT devices could be the “asbestos of the future”.
Rather than, like with asbestos, dealing with the consequences after widespread adoption—the UK government wants to intervene earlier.
Some of the new proposed laws include requirements that:
- Customers are informed at the point of sale of the duration for which a smart device will receive security software updates
- Manufacturers cannot use universal passwords such as ‘password’ or ‘admin’ that are often the default and therefore easily guessable
- Manufacturers provide a public point of contact to make it easier to report a discovered vulnerability.
Digital Infrastructure Minister Matt Warman said:
“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.
The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”
Smartphones are also being put under the microscope after research from consumer group Which? found that a third of people have kept their latest phone for the past four years; due to many now lasting six years or more before detrimental faults or performance issues occur. However, many devices only receive security updates for around two years.
Rocio Concha, Director of Policy and Advocacy at Which?, commented:
“New laws to tackle this issue are a crucial step as there are a vast array of connected devices with security flaws, many of which are currently on the market, that put consumers at risk from cybercriminals.
We share the government’s ambition to make the UK one of the safest places in the world for consumers to use smart technology and this must be backed up by strong enforcement, ensuring people can get effective redress when they purchase devices that fail to meet security standards and leave them exposed to data breaches and scams.”
None of the 270 connected devices examined by University College London for a recent study displayed any information to the consumer about how long the device will receive security updates.
Ilia Kolochenko, CEO, Founder, and Chief Architect at ImmuniWeb, said:
“This legislative progress is encouraging and should serve as an example to other European governments.
The main challenge of high-tech legislation is to actually enforce the law: people may buy substandard IoT devices abroad in a few clicks, while customs have insufficient resources to monitor compliance with highly complicated legislation amid the influx of foreign goods. A toothless law will unlikely deter bad practices that it aims to regulate.
It would, however, certainly be interesting to measure the impact of Californian IoT security law, enacted in 2018 and effective since 2020, on the consumer protection of Californians.
Individual standing under the new law – one’s capacity to bring a private lawsuit seeking damages in addition to monetary fines issued by the government – is likewise essential to provide aggrieved individuals with redress and bring stronger incentives to comply with the law.
Problematically, most of the insecure and dangerous IoT devices are manufactured in third-party countries that are oftentimes ignorant to any judicial cooperation with the UK authorities. Thus, however good the law will be, its practical enforcement will be decisive for its eventual success.”
The UK government plans to introduce the IoT security legislation as soon as parliamentary time allows.
Interested in hearing industry leaders discuss subjects like this? Attend the co-located 5G Expo, IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.