The UK government has proposed an IoT device labelling scheme to ensure that consumers are aware of a product’s security features at the point of purchase.
In addition, the government has published its Secure by Design review, which lays out plans to ensure that manufacturers embed security in the design process rather than bolt them on as an afterthought.
The initiative forms part of the UK government’s five-year, £1.9 billion National Cyber Security Strategy.
The review, developed in collaboration with manufacturers, retailers, and the National Cyber Security Centre (NCSC), comes after a number of high-profile breaches of connected devices, including attacks on smart watches, CCTV cameras, and even children’s dolls.
Several reports have been critical of IoT security, suggesting that manufacturers are ignoring basic safety measures to rush devices to market before their competitors, while another has found privacy and security flaws in many popular smart home devices.
Internet of Business’ recent coverage includes the following news reports:-
Read more: Alexa beware! New smart home tests reveal serious privacy flaws
Read more: Vendors, users ignoring IoT security in rush to market – report
Read more: IoT ramps up cyber security risk, says in-depth report
With an estimated 15 internet-connected devices for every household in the UK by 2020, there could be 420 million in use in homes across the country within three years, meaning both an increased attack surface and a higher chance that insecure devices will be targeted.
Worldwide, IoT connections have been estimated at 20 billion by 2020, while Dell EMC CEO Michael Dell said last October that, “we’ll soon have 100 billion connected devices, and then a trillion, and we will be awash in rich data”.
A national problem
To avoid being awash with security risks, too, the government has outlined the practical steps that IoT companies should take. These include ensuring that all passwords on new devices and products are unique, and cannot be reset to factory defaults, such as ‘admin’.
More, devices should have a vulnerability policy and a public point of contact so security researchers and others can report problems immediately, it says.
The review urges that any sensitive data transmitted by devices or apps should be encrypted, and that software should be updated automatically, with clear guidance to customers on each update. This report reveals that this isn’t the case with some popular brands and devices.
Manufacturers must make it easy for consumers to delete personal data from devices and apps, and ensure that the installation and maintenance of the devices is simple.
“We want everyone to benefit from the huge potential of internet-connected devices, and it is important they are safe and have a positive impact on people’s lives,” said Margot James, Minister for Digital and the Creative Industries.
“We have worked alongside industry to develop a tough new set of rules, so strong security measures are built into everyday technology from the moment it is developed,” she added.
“This will help ensure that we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy.”
The cost challenge
NCSC technical director Dr Ian Levy said that he hoped that the main legacy of the review would be a government ‘kitemark’ that clearly explains the security promises and effective lifespan of products.
“Shoppers should be given high-quality information to make choices at the counter. We manage it with fat content in food, and this is the start of doing the same for the cyber security of technology products,” he said.
Graeme Wright, CTO for manufacturing, utilities, and services at Fujitsu UK, explained that a key reason for IoT devices not being as secure as other devices is the cost. “Often security risks are down to cost, as devices capable of connecting to the internet are usually cheap to develop and even cheaper to sell at scale,” he said.
“In recent years, we’ve seen how cheap drones, and home automation devices like smart lightbulbs, don’t undergo the rigorous development cycles usually expected with best practice.”
In such an environment, security becomes an expensive afterthought, he suggested.
“The risk of not owning a house alarm is not worth considering when the alarm is protecting everything you own,” he added. “The same can be said for IoT devices: good coding practises, non-hardcoded passwords, and regular firmware or device upgrades can help encourage a more open approach to security, instead of cutting costs to create better sales margins at the cost of consumers’ security.”
Internet of Business says
One of our recent reports on IoT security found that the challenge isn’t only limited to manufacturers who lack a credible track record in enterprise-grade security. Many IoT users – including in medium to large organisations – seem to have a lax attitude to the problem as well. The report found that while many enterprises have either been successfully attacked via IoT devices, or expect to be, only a small minority see IoT security in itself as being very important.
The fact that both home and enterprise IoT devices may be connected to critical systems, and even to the data centre, suggests that many IT professionals need to be better educated about the threat. Part of the challenge is that while an attack on a specific organisation’s smart lightbulbs or HVAC systems might seem implausible – if far from impossible – a broad-spectrum attack on specific device types around the world would be a different matter.
IoTBuild is coming to San Francisco, CA on March 27 & 28, 2018 – Sign up to learn all you need to know about building an IoT ecosystem.