UK Plans Stronger IoT Security Rules

Government proposes legislation for connected things

Last week, the UK government announced plans to introduce legislation designed to improve the security standards of consumer-level Internet of things (IoT) products. The legislation stipulates that all consumer smart devices sold in the UK, such as security cameras, TVs, wearable health trackers and connected appliances, adhere to some basic security requirements. The proposed measures from the Department for Digital, Culture, Media & Sport have been developed in conjunction with the UK’s National Cyber Security Centre and follow a period of consultation with information security experts, product manufacturers, retailers and others.

Until now, the government has encouraged industry to adopt a voluntary approach to security, but has now shifted its stance, saying that more decisive action is needed to ensure that strong cybersecurity is built into these products. Manufacturers haven’t built basic security requirements into their products, leading to frequent breaches involving their devices.

As smart products have become an integral part of our daily lives, there’s a risk that any compromised vulnerability within a device could result in real harm to all networked devices. In other words, a chain is only as strong as its weakest link. This calls for urgent joint government and industry action. With the UK government taking consumer IoT security very seriously, it wants to move the expectation away from consumers and instead ensure that strong cybersecurity is built into these products by design.

In early 2019, the UK government began an exercise to identify the best options to beef up cybersecurity for consumer IoT by exploring the potential impact of the growing popularity of connected devices and their lack of basic security features. After the initial review, the UK government stipulated that manufacturers adopt some basic tenets for these devices:

  • Set device passwords that are unique and not resettable to any universal factory setting
  • Provide a public point of contact as part of a vulnerability disclosure policy
  • Explicitly state the minimum length of time for which the device will receive security updates

There are many estimates for the number of connected devices worldwide as the market grows, with numbers as high as 75 billion by 2025. The UK expects to have 10 to 15 devices per household in 2020. As these products become more popular, achieving full market compliance with these three guidelines will ensure consumers are given protection against the most basic vulnerabilities, such as those that resulted in the Mirai distributed denial-of-service attack in October 2016.

The UK isn’t alone in attempting to secure IoT devices. The European Union Agency for Cybersecurity is working toward legislation in this area, and the US government is also looking to regulate IoT in an effort to protect against cyberattacks. From a manufacturer’s point of view, it would be costly if each country implemented its own regulations in this area, as there would be a patchwork of different rules around the globe. So, it’s good news that the UK government is also working with other international agencies to develop a global approach. However, it hasn’t yet stipulated a timeline for its own regulations to be implemented.

Of course, the new regulations only apply to products going on sale from now. Many consumers have already invested significant sums in connected things and suppliers will, as part of their compliance approach, do well to let existing users know whether and how they plan to make their products more secure. The current spate of security problems with Amazon Ring devices will be a good and high-profile test case.