The UK government aims to shift the burden of securing IoT devices away from consumers and put the onus of securing them squarely on the manufacturers.
“Poorly secured devices threaten individuals’ online security, privacy, safety, and could be exploited as part of large-scale cyber attacks,” they noted.
To mitigate the risk, they published a “Secure by Design” report compiled in collaboration with the National Cyber Security Centre (NCSC), manufacturers and retailers, and in it a Code of Practice for manufacturers of consumer IoT products and associated services (primarily applications that manage Internet-connected devices).
The Code of Practice
The Code of Practice requires that the manufacturers:
- Make the installation and maintenance of IoT devices easy
- Ensure software integrity and timely updates
- Make IoT services resilient to outages
- Have a vulnerability disclosure policy and point of contact (and respond to vulnerability reports in a timely manner)
- Make sure that personal data is protected in accordance with data protection law, and security-sensitive data is encrypted
- Make it easy for consumers to delete personal data on devices and products
- Validate input data and monitor system telemetry data
- Make sure that credentials are securely stored within services and on devices and that hard-coded credentials are not used
- Make sure that IoT device passwords are unique and not resettable to any universal factory default value.
In short, they are expected to think about the security of IoT devices as they develop them, and not resort to bolting on security after the devices have been manufactured, shipped, and put in use.
Will it work?
This Code is currently just a draft, and stakeholders are invited to send feedback on it by the 25th April.
Still, one wonders how they plan to enforce the requirements that will make it to the final version, as there is no indication that those who fail to do so will face any sanctions.
Pen Test Partners’ Ken Munro believes that the “Secure by Design” IoT standard will be utterly ineffective in its current form.
He penned a post that outlines the various reasons that IoT vendors, hardware manufacturers, IoT integrators and platform suppliers don’t think about or implement IoT security, and said that if one doesn’t consider why manufacturers create insecure IoT devices, then one can’t fix the underlying problems.
“Fixing this requires guidance (which is already out there) and standards to follow (already out there, e.g., IoTSF). However, without enforcement and market regulation, nothing much will change,” he concluded.
According to the government’s own estimates, every household in the UK owns at least 10 Internet-connected devices and will own 15 of them by 2020.
Dr Ian Levy, the NCSC’s Technical Director, said that people should not be expected to make impossible safety judgments with no useful information.
“Shoppers should be given high-quality information to make choices at the counter. We manage it with fat content of food and this is the start of doing the same for the cybersecurity of technology products,” he noted.
Alongside the measures proposed for IoT manufacturers, the government has also proposed developing a product labeling scheme so consumers are aware of a product’s security features at the point of purchase.