IoT devices could be banned from sale and destroyed if they fail to meet basic security standards, according to proposals put forward by the UK Government.
The UK Government Department for Digital, Culture, Media and Sport (DCMS) has published proposals for a new law designed to protect purchasers of so-called “smart devices” from cybercriminals.
Working with the National Cyber Security Centre (NCSC), the DCMS has detailed three key requirements that it wants IoT device manufacturers to follow – and the potential penalties it is prepared to mete out if they are not met.
The list of proposed rules, which could be expanded in future, are as follows:
Ban universal default passwords in consumer smart products
On too many occasions we have seen botnets recruit millions of unsecured IoT devices simply because they are using a default password that owners either have not changed or did not know how to change.
The notorious Miari botnet, for instance, which launched devastating distributed denial-of-service (DDoS) attacks, was helped in its spread by its knowledge of weak commonly-used and default passwords used by a myriad of different IoT devices.
If your IoT device is using a default password then it might as well have no password at all.
In addition, the UK government proposals state that the intent is to additionally ban passwords which may be unique a particular device, but still present a risk because they are easy to guess.
Implement a means to manage reports of vulnerabilities
The good news is that responsible ethical security researchers find vulnerabilities in IoT devices and want to get them fixed, rather than exploit them for their own criminal gain.
The bad news is that it’s not always straightforward – and sometimes downright impossible – to work out how to contact a manufactuer to inform them of a security hole.
The DCMS proposal says it is essential for manufacturers of consumer IoT products to provide a “transparent route for external parties to report vulnerabilities and receive useful feedback.”
A normal way to achieve this would be for the manufacturer to provide a webpage on their website providing contact information such as an email address, phone number or a form, giving an indication of expected timescales for response.
Provide transparency on for how long, at a minimum, the product will receive security updates
When you buy an IoT product you don’t just expect it to work, you expect it to continue to work. And that means also receiving security and privacy updates to protect against vulnerabilities as they are discovered.
Knowing the minimum period of time for which a product will receive security updates helps the consumer make an informed choice about which IoT device to purchase.
There may be challenges as a “smart” household appliance, for instance, may be expected by consumers to have a much longer lifespan than a mobile phone.
The above requirements proposed by the UK Government and the NCSC aren’t particularly earth-shattering. And that’s actually a good thing. These are ideas that we have long known will help make IoT devices more secure, and although there is more to be done these go some way to making the IoT world a safer place.
Sadly, knowing that something isn’t a good idea isn’t usually enough to get all manufacturers to do it. And that’s why the proposals also include suggestions for what penalties could be dished out to those who break the rules.
These include the forced recall of devices found to be insecure, and in the case of the worst offenders the temporary or even permanent ban of products from being sold in the UK.
Offending manufacturers could face financial penalties and devices could be confiscated and destroyed if they fail to properly meet security standards.
It’s worth remembering that at the moment all of the above are just proposals, and the guidelines have not been finalised by the UK Government. It says it would welcome feedback and evidence from the public to help shape its proposals. This can be completed via an online survey or by completing a feedback form and emailing a response to [email protected].
“This is a significant step forward in our plans to help make sure smart products are secure and people’s privacy is protected. I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products,” said Digital Infrastructure Minister Matt Warman. “People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber criminals.”
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsNovember 14, 2024
September 06, 2024