Government Proposes New IoT Security Laws

AWS, IoT, connected devices

New law to ensure basic cyber security features would be implemented in all Internet-connected products

A new law has been proposed by the British government to secure IoT devices with cyber security features.

The move has been welcomed by security experts, and comes after scores of security incidents relating to Internet-connected devices, commonly found around the household.

For example in 2017 a researcher found that that high-end Aga cookers could be compromised by hackers. The ovens involved used a system (called ‘Total Control’) that allowed the user to remotely control their kitchen appliance. But unfortunately it could easily hacked.

IoT security

And the issue of security in a Internet of Things (IoT) world has long been a concern for Silicon UK readers.

In this Margot James, Minister of State for Digital and Creative Industries, has announced a proposed new law for internet connected devices.

The law is being consulted on, but will consider a mandatory new labelling scheme. The label would tell consumers how secure their products such as ‘smart’ TVs, toys and appliances are.

“The move means that retailers will only be able to sell products with an Internet of Things (IoT) security label,” said the government.

The consultation will focuses on mandating the top three security requirements that are set out in the current ‘Secure by Design’ code of practice. These include:

  • IoT device passwords must be unique and not resettable to any universal factory setting.
  • Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
  • Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.

Following the consultation, the security label will initially be launched as a voluntary scheme to help consumers identify products that have basic security features and those that don’t.

“Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk,” said Digital Minister Margot James. “Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.”

“Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers,” said National Cyber Security Centre (NCSC) Technical Director, Dr Ian Levy.

“This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes,” Dr Levy said.

The Government is working with international partners to ensure that the guidelines drive a consistent approach to IoT security.

Welcomed move

The move has been welcomed by security experts who believe it is an important step to improve the safety of users.

“This is an extremely productive and positive step proving that the government is listening to the cyber security industry and prioritising the safety of its users,” said Jake Moore, cyber security specialist at ESET.

“IoT devices having unique passwords by default would have an immense effect on the protection of not only the devices, but it could also thwart other attacks such as DDoS, which affects thousands of sites around the world,” he added.

“Even though it will help people immediately ‘out of the box’, in turn it will help raise cyber awareness on the power of security updates and having a point of contact to turn to in desperate times,” said Moore. “This proposed law could even have a knock on effect on other lines of defence. Making devices two factor authenticated by default could be the next step which would provoke another monumental change in protection of the public.”

Another expert said there is a long way to go, but it should help tackle passwords.

“F-Secure was previously critical of the code of conduct but by proposing a legal framework the UK Government is taking a step in the right direction,” said Tom Gaffney, principal consultant at F-Secure.

“There is a long way to go (as initially it will be voluntary) and there is always much in the detail to be considered, plus we have to question how effective legislation will be,” he added.

“The initial proposals will focus on three areas, weak passwords, security updates and vulnerability disclosures, from a security perspective we agree that these are major issues in the world of IoT threats today,” said Gaffney. “As many as one third of IoT attacks abuse weak passwords and legislating to fix this basic issue can only be a good thing.”

In 2015 Toy maker Mattel triggered fresh privacy and security worries for parents with the development of a Wi-Fi connected Barbie doll, which was feared could allow hackers to spy on children.

Do you know all about security? Try our quiz!