IoT security: Government unveils Code of Practice – but it’s voluntary

IoT security: Government unveils Code of Practice – but it’s voluntary

Internet of Business says

The UK government has launched a new voluntary Code of Practice for the manufacturers of Internet of Things devices, with the aim of securing the consumer IoT.

The Code is designed to ensure that devices such as home hubs, smart kitchen appliances, security cameras, wearables, and connected toys are secured against external attack and data breaches.

This latest move from the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) follows their joint Secure by Design review earlier this year, which sought to to embed security in the design process of new technologies.

The Code says, “As people entrust an increasing amount of personal data to online devices and services, the cybersecurity of these products is now as important as the physical security of our homes.

“The aim of this Code of Practice is to support all parties involved in the development, manufacturing, and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.”

The Code of Practice

The new guidelines – which were first published in draft form in March – set out thirteen steps that manufacturers of consumer devices should follow when designing IoT products.

These are:

1. No default passwords

All IoT device passwords should be unique and not resettable to any universal factory default value.

Many IoT devices are sold with universal default usernames and passwords (such as ‘admin, admin’) which manufacturers expect consumers to change – but the majority don’t. This has been the source of many security problems in the IoT to date and the practice needs to be eliminated, says the government.

2. Implement a vulnerability disclosure policy

All companies that provide connected devices and services should have a public point of contact as part of their vulnerability disclosure policy, in order that security researchers and others are able to report problems.

Companies should also continually monitor for, identify, and rectify security vulnerabilities within their own products and services as part of a product’s security lifecycle, adds the government.

Vulnerabilities should be reported directly to the affected stakeholders. Companies are also encouraged to share information with competent industry bodies.

3. Keep software updated

Software components in internet-connected devices should be securely updateable, with updates timely and not impacting on the functioning of the device, says the Code.

More, an end-of-life policy should be published for endpoint devices that explicitly states the minimum length of time for which a device will receive software updates – and the reasons for the length of this support period.

The need for each update should be made clear to consumers and it should be easy to implement. For constrained devices that cannot physically be updated, the product should be “isolatable and replaceable”.

4. Securely store credentials and security-sensitive data

Any credentials should be stored securely within services and on devices. Hard-coded credentials in device software are “not acceptable”, says the government.

This is an important step, as the reverse-engineering of devices and applications can easily discover credentials such as hard-coded usernames and passwords.

Security-sensitive data that should be stored securely includes: cryptographic keys, device identifiers, and initialisation vectors. Secure, trusted storage mechanisms should be used, such as those provided by a Trusted Execution Environment, advises the government.

5. Devices should communicate securely

Security-sensitive data, including remote management and control, should be encrypted in transit. All keys should be managed securely.

The use of open, peer-reviewed internet standards is strongly encouraged, adds the government.

6. Minimise exposed attack surfaces

All IoT devices and services should operate on the ‘principle of least privilege’. Unused ports should be closed, hardware should not unnecessarily expose access, services should not be available if they are not being used, and code should be minimised to the functionality necessary for a service to operate.

7. Ensure software integrity

Software on IoT devices should be verified using secure boot mechanisms. If an unauthorised change is detected, the device should alert the consumer/administrator to a problem and should not connect to wider networks than those necessary to issue the alert.

The ability to recover from these situations remotely should rely on a known good state to enable the safe recovery and updating of the device.

This will avoid denial of service and costly recalls or maintenance visits, says the government, while minimising the risk of potential device takeover by an attacker subverting network communications.

8. Ensure that personal data is protected

Where devices and/or services process personal data, they shall do so in accordance with applicable data protection laws, such as Europe’s General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018.

Device manufacturers and IoT service providers should provide consumers with clear and transparent information about how their data is being used, by whom, and for what purposes. This also applies to any third parties that may be involved – including advertisers.

9. Make systems resilient to outages

Resilience should be built in to IoT devices and services, taking into account the possibility of network and power outages.

Where reasonably possible, IoT services should remain operating and locally functional in the case of a loss of network and should recover cleanly where there has been a loss of power. Devices should be able to return to a network in a sensible state and in an orderly fashion, rather than in a “massive-scale reconnect”, says the government.

10. Monitor system telemetry data

If telemetry data is collected from IoT devices and services, such as usage and measurement data, it should be monitored for security anomalies.

Monitoring telemetry, including log data, is useful for security evaluation and allows for unusual circumstances to be identified early and dealt with, minimising security risks and allowing the quick mitigation of problems.

11. Make it easy for consumers to delete personal data

Devices and services should be configured so that personal data can easily be removed from them when there is a transfer of ownership, when the consumer wishes to delete it, and/or when the consumer wishes to dispose of the device.

Consumers should be given clear instructions on how to delete this data, says the government.

12. Make installation and maintenance of devices easy

Installation and maintenance of IoT devices should employ minimal steps and follow security best practice on usability. Consumers should also be provided with guidance on how to securely set up their device.

13. Validate input data

Finally, data input via user interfaces (and transferred via APIs or between networks in services and devices) should be validated.

Supporting the Code

The government says that implementing these guidelines will “contribute to protecting consumers’ privacy and safety, while making it easier for them to use their products securely”. It will also mitigate against the threat of Distributed Denial of Service (DDoS) attacks that are often launched from poorly secured IoT devices and services.

A number of IoT manufacturers, such as HP Inc and Centrica Hive, have already committed to supporting the Code of Conduct.

Minister for Digital, Margot James, hailed the news, saying, “The UK is taking the lead globally on product safety and shifting the burden away from consumers having to secure their devices.

“The pledges by HP Inc. and Centrica Hive are a welcome first step, but it is vital other manufacturers follow their lead to ensure strong security measures are built into everyday technology from the moment it is designed.”

Dr Ian LeAlex Neill, Which? managing director of Home Products and Services, added: “We welcome the government taking a lead in tackling the growing issue of security in internet-connected products. Manufacturers of these smart devices must now show they are taking security seriously and sign up to the Code to better protect consumers who use their products every day.”

Why is the Code not mandatory?

However, some security experts have questioned why the Code is voluntary, with the government itself saying that the guidelines are “outcome-focused, rather than prescriptive”, giving organisations the “flexibility to innovate and implement security solutions appropriate for their products”.

Andy Kays, CTO of cybersecurity company, Redscan, warned that small manufacturers will flout the new rules. “To have a real positive impact we need to ensure that there is improved cooperation on a global level and do more to help organisations prioritise security across the complete development lifecycle,” he said.

“Right now, cybersecurity is often last in a long list of some manufacturers’ priorities. New features and services are driving sales, not robustness. Manufacturers are selling prototypes as fully-fledged products to generate attention and get to market as quickly as possible.

“While it’s positive that some large technology companies have already announced their backing of the new Code, I suspect that smaller companies may be in less of a hurry to sign up.

“New manufacturers and start-ups don’t have the same level of brand equity as more established organisations, so they there may be a tendency for them to take bigger risks in order to get products to market – and this can mean that cyber security risks are less of a concern.

“Retailers also need to do their part in helping to protect consumers by ensuring that they choose to stock products that meet recognised security standards.”

His comments were echoed by others in the industry. For example, John Sheehy, VP of strategy at IOActive, said, “While it’s certainly a step in the right direction, it’s unlikely that the industry will act upon it, given that it is voluntary.

“Unfortunately, many manufacturers of these devices are more concerned with getting a minimally viable product to market than whether or not it is secure. As a result, many IoT devices expose their owners to significant risks.”

Gary Cox, technology director Infoblox, added, “More can – and should – be being done to protect businesses.

“Our recent report revealed over a third (35%) of companies in the US, UK and Germany reported more than 5,000 personal devices – ranging from smartphones to personal computers and laptops – connect to the corporate network each day, demonstrating the scale of the vulnerability.

“With security being costly, there’s a possibility more devices will connect to professional networks, increasing the risk that they’re used for ransomware, data exfiltration, and other forms of cyber-attack.

“To reduce the risk of hacks, breaches and misuse organisations must take security more seriously and should build it into devices from the start, using intelligent DNS solutions at the centre of any defence strategy when identifying malicious communications within a network.”