A draft code of practice would encourage manufacturers to remove default device passwords and make communications less easy to hack
The government has issued draft guidelines aimed at making internet-connected devices more secure, following a string of high-profile hacking incidents.
The voluntary code of practice draft follows a comprehensive review that included the participation of manufacturers, retailers and the National Cyber Security Centre (NCSC).
It requires manufacturers to ensure the administrator passwords found in devices are unique and can’t be reset to a uniform factory default and that communications from devices is encrypted.
Other advice from the Security By Design review includes that manufacturers have a point of contact for security researchers, provide automatic software update and make it easy for consumers to delete personal data and carry out installation and maintenance tasks.
‘Smart’ devices set to soar
The government estimates every British household contains at least 10 internet-connected devices, with the figure set to rise to 15 by 2020.
Most of those devices are considered easy to hack. In 2016 malware called Mirai created a botnet of around 100,000 devices, mostly webcams, and used it to take a number of high-profile websites offline. The malware hacked devices by searching for those that used default passwords.
TV set-top boxes, smart watches and children’s toys have also been targeted.
The review outlines “practical steps” for manufacturers, service providers and developers, the government said, adding the code would improve cyber-security while continuing to encourage innovation.
Margot James, minister for digital and the creative industries, said the government wants everyone to benefit from the “huge potential” of internet-connected devices.
But it’s important such devices are “safe” and make a “positive impact”, she said.
“We have worked alongside industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed,” James said.
NCSC technical director Dr Ian Levy said the centre aims to “stop people being expected to make impossible safety judgements with no useful information”.
He said the NCSC hopes the review leads to a government-certified label indicating devices’ security arrangements and their effective lifespan.
Which? welcomed the scheme as a first step, while McAfee chief scientist Raj Samani said the code of practice was a move toward “ensuring a standard level of security across these devices”.
But Pen Test Partners’ Ken Munro said the scheme could not make an impact as long as it remained voluntary.
“Responsible manufacturers are already addressing IT security in devices, so that means this code will apply to fly-by-night ones that aren’t,” he said. “But because this standard isn’t compulsory, (and) there is no legislation or kitemark, it will have no effect.”
He said the government needs to update consumer protection laws to address Internet of Things (IoT) security issues.
“We do it with electrical safety, so why not IoT?” he said.
The government is seeking feedback on the proposal until 25 April.
Do you know all about the Internet of Things? Take our quiz.