bakhtiarzein - Fotolia

Government sets out tighter security measures for IoT devices

The government has announced plans to develop a new code of practice to improve the security of connected internet of things devices

The government is planning to introduce tough new cyber security and compliance measures to better protect the millions of smart internet of things (IoT) devices already online around the UK – and the millions more yet to come – as part of its ongoing, five-year, £1.9bn security initiative.

The Security by Design review has been developed with support from device manufacturers, retailers and the National Cyber Security Centre (NCSC) to address the huge number of gaping security holes in many smart IoT devices, such as TVs, toys and speakers.

The government claimed that, averaged out, every household in the UK now owns at least 10 internet-connected devices, and most will add at least five more in the next couple of years. This suggests there could be more than 420 million potential sources of attack in UK homes by 2020.

Badly-secured IoT devices have already been implicated in a number of high-profile cyber security events that compromised consumer data. In early 2017, for example, more than 800,000 owners of a connected teddy bear had their data exposed because of a poorly secured MongoDB database, while hundreds of thousands of other devices are still being co-opted into damaging IoT botnets.

A January 2018 report from the Cyber Security Research Institute said urgent action was needed on IoT security to avoid a “predictable descent into a dystopian future”.

In the light of these challenges, the government’s review has set out plans to embed security in the design process rather than bolting it on later, and hopes to establish a new code of practice to improve the security of consumer IoT devices and services, while still leaving enough wiggle room for innovative use cases.

“We want everyone to benefit from the huge potential of internet-connected devices and it is important that they are safe and have a positive impact on people’s lives,” said Margot James, minister for digital and the creative industries. “We have worked alongside industry to develop a tough new set of rules so that strong security measures are built into everyday technology from the moment it is developed.

“This will help to ensure we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy.”

The new rules will help ensure all passwords on new devices are unique and not resettable to a factory default; that devices have a vulnerability policy and a public point of contact so that issues can be reported and acted on quickly; that any sensitive data transmitted over apps or devices is encrypted; that software is automatically updated and there is guidance on this for users; that consumers can easily delete personal data on devices; and that installation and maintenance of devices is made easier.

Read more about IoT security

The government’s review also proposes the development of a product-labelling scheme to make buyers aware of a product’s security features at the point of purchase. The Department for Digital, Culture, Media and Sport (DCMS) said it would work closely with retailers and consumer rights bodies to provide advice and support in this regard.

“The NCSC is committed to ensuring the UK has the best security it can, and stop people being expected to make impossible safety judgements with no useful information,” said NCSC technical director Ian Levy.

“We are pleased to have worked with DCMS on this vital review, and hope its legacy will be a government ‘kitemark’ clearly explaining the security promises and effective lifespan of products.

“Shoppers should be given high-quality information to make choices at the counter. We manage it with the fat content of food and this is the start of doing the same for the cyber security of technology products.”

Alex Neill, managing director of home products and services at consumer rights organisation Which?, also voiced support for the measures.

“With connected devices becoming increasingly popular, it is vital that consumers are not exposed to the risk of cyber attacks through products that are left vulnerable through manufacturers’ poor design and production,” he said.

“Companies must ensure that the safety of their customers is the absolute priority when ‘smart’ products are designed. If strong security standards are not already in place when these products hit the shelves, then they should not be sold.”

DCMS is inviting feedback on its draft proposals, which can be read in full online, ahead of conducting more work this year to develop its recommendations further, which will involve examining how the government might further embed these guidelines into actual regulations following the Data Protection Bill.

Read more on Privacy and data protection