UK proposes IoT and consumer smart devices security guidelines
This article originally appeared on EdgeIR.com.
Shortly after California became the very first U.S. state to introduce a law addressing IoT security, the U.K. is now looking into similar laws to safeguard business infrastructures and consumer networks, according to ZDNet, probably bringing even more regulatory and compliance confusion into vendors’ lives.
From countless security breaches in the past years, it’s no shock governments are becoming more aware of the threat landscape and the vulnerabilities in connected devices. Whether it’s default factory credentials that can’t be changes or open ports because the manufacturer rushed the product to market, even the talk about putting proposals forward is a major win. More concerning is that manufacturers still don’t release devices with in-built security because security by design is not always considered a priority. This is why the market is also overflooded with devices that have probably not received patches and security updates from manufacturers in years.
“Over the past five years, there has been a great deal of concern expressed toward vulnerable consumers and inadequate cybersecurity protection,” said John Moor, managing director of the IoT Security Foundation. “Understanding the complex nature of IoT security and determining the minimum requirements has been a challenge, yet, after a thorough and robust consultation, those baseline requirements have now been universally agreed.”
In 2018, the U.K. government introduced Secure by Design Code of Practice for consumer IoT security which pushed for more robust by-design cybersecurity measures into smart devices. The decision has been supported by Centrica Hive, HP Inc Geo and Panasonic.
Later in February 2019, the European Telecommunications Standards Institute (ETSI) released the first global industry standard for consumer IoT security which relies on the aforementioned Code of Practice.
U.K.’s Department for Culture, Media and Sport joined forces with the National Cyber Security Centre to introduce measures later evaluated by security industry experts, product manufacturers, and retailers.
“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” said Digital Minister Matt Warman in a prepared statement. “Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers from threatening people’s privacy and safety. It will mean robust security standards are built-in from the design stage and not bolted on as an afterthought.”
Equivalent to the California cybersecurity law, IoT and consumer smart devices will have to comply with the traditional governmental security requirements. First of all, in the U.K. scenario, if vendors will still want to sell their IoT devices in the kingdom, they will have to ensure the passwords are unique and that customers will not be able to reset the devices to default factory settings.
The other key rules address manufacturers, which will have to designate a public point of contact for people to report vulnerabilities, so they can be dealt with in real time, as well as publicly declaring how long the device is to receive security updated at the point of sale, regardless of purchasing channel, to understand what to expect from the product’s security in the long run.
“Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed,” said in a prepared statement Nicola Hudson, Policy and Communications Director at the NCSC. “It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.”
These rules are still in the proposal stage, but the government is determined to regulate this gray area once and for all albeit without explicitly stating a clear timeframe yet. If the new law passes, companies found in violation of the requirements will probably have to say goodbye to the U.K. market and take their business somewhere else.
“Rather than relying on passwords alone, manufacturers of smart goods must look to include biometric fingerprint sensors into connected devices themselves and keep the user’s digital identity locally stored in a secure element, not in a central database. The only person who can authenticate an action, permission or transaction, where biometrics are involved, is the person whose fingerprint has been directly enrolled on to the device itself. This means locally-stored biometric data are virtually impossible for criminals to hack or intercept,” Orme explained.
“Biometrics can then be used to authenticate transactions initiated via connected devices to ensure children or friends aren’t ordering goods on your behalf without your knowledge. Biometric authentication will also end the concerns people currently have about the implications of devices being lost, stolen or even hacked. Using biometrics to authenticate smart devices gives users the confidence to enjoy a truly personalized and secure IoT experience,” he added.
OneLogin’s VP of solution engineering, Stuart Sharp, believes the proposed measures are a good step but still don’t address the critical problem, which is the lack of “well established and scrutinized protocols such as SAML, OAuth and OIDC” for authentication in IoT devices. “The proposed regulations do nothing to ensure that the mechanisms underpinning IoT communication are secure,” Sharp said.
Taking their business in other markets might prove challenging, though, because the European Union Agency for Cybersecurity (ENISA) is considering IoT legislation to deploy across the Union. The EU Cybersecurity Act institutes a unionwide cybersecurity certification framework for digital products, services, and processes. The organization aims to boost cooperation among member states when they need help addressing cybersecurity incidents, large-scale cross borders cyber-attacks and crises.