UK’s proposed IoT cyber security law gathers momentum

New statistics appear to vindicate UK government proposals to force suppliers to be upfront about IoT security

Skyrocketing ownership of smart, connected internet of things (IoT) devices among the general public demonstrates the necessity of the UK government’s proposed new cyber security laws, according to the Department for Digital, Culture, Media and Sport (DCMS).

The department has today (21 April) published figures that show almost half (49%) of UK consumers have bought at least one smart device since the outbreak of the Covid-19 pandemic in 2020. Such products may appear to offer a huge range of benefits, yet many of them are highly vulnerable to cyber attacks.

Planned new legislation to address this shortfall in device security will force suppliers to tell users at the point of sale for how long their product will receive security software updates and patches.

DCMS said it would now also be putting smartphones in scope of the planned legislation in light of responses to a recent call for public input. It said research had shown up to a third of people keep their smartphones for at least four years, but many brands only offer security updates for two years.

Recent University College London research found that out of 270 products tested, none displayed this information at point of sale or in any accompanying paperwork.

“Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems,” said digital infrastructure minister Matt Warman.

“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.

“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”

The law will also ban suppliers from selling devices with universal default passwords preset and force them to provide public contacts to make vulnerability reporting easier.

Brad Ree, CTO of the Internet of Secure Things (IoXT) Alliance, said: “We applaud the UK government for taking this critical step to demand more from IoT device manufacturers and to better protect the consumers and businesses that use them.

“Requiring unique passwords, operating a vulnerability disclosure programme, and informing consumers on the length of time products will be supported is a minimum that any manufacturer should provide. These are all included in the IoXT compliance programme and have been well received by manufacturers around the world.”

NCSC technical director Ian Levy added: “Consumers are increasingly reliant on connected products at work and at home. The Covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough.

“DCMS’ publication builds on the 2018 Code of Practice and ETSI EN 303 645 to clearly outline the expectations on industry. To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.”

The law, which will be introduced “as soon as parliamentary time allows” builds on a series of steps Westminster has already taken, including the publication of a code of practice for device-makers, and the development of an international standard for IoT security, which has been approved by industry association the Cybersecurity Tech Accord (CTA) and is being used in, among other places, Australia, Finland, India and Singapore.

More recently, three new voluntary assurances schemes have been launched, backed by a £400,000 grant. These are the Internet of Toys Assurance Scheme, designed to reassure parents that products bought for children are tested and meet minimum requirements; the Smart TV Cybersecurity Certification programme, which offers third-party testing and an approved security kitemark for smart TVs; and the IASME IoT Security Assured initiative, which is designed to enable smaller IoT developers and startups to conduct verifiable cyber security testing on their products.

Read more about IoT security

  • Organisations can upgrade their devices to include TPMs that serve as passive security on the host system, simplify device maintenance and enhance overall security.
  • IoT, while influential and beneficial, introduces several enterprise security issues. Key risks of IoT include network vulnerabilities and outdated software and firmware.
  • Cyber attacks on IoT and CMS have grown throughout 2020 and organisations must step up their network security measures with tactics such as zero-trust.

Next Steps

Microsoft buys ReFirm Labs to bolster IoT firmware security

Read more on Endpoint security