UK Government releases voluntary Code of Practice for IoT devices and service providers

The Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) in the UK have released a voluntary Code of Practice that applies to device manufacturers, retailers, IoT service providers and mobile application developers.

This is a positive sign that the security industry is not the only entity aiming to make consumers safer. By making their homes smart, users want an easier life, not a more stressful environment that would expose their privacy to hackers.

The UK government has understood the risks posed by vulnerable connected devices such as connected children’s toys and baby monitors, smart smoke detectors and door locks, smart cameras, TVs and speakers, wearables that are now widely used in healthcare, connected home automation and alarm systems, home appliances such as washing machines and fridges, and smart home assistants. The guidelines also address digital services coupled with IoT devices, such as mobile applications, cloud computing and storage, and third-party APIs.

“As people entrust an increasing amount of personal data to online devices and services, the cybersecurity of these products is now as important as the physical security of our homes,” reads the document. “The aim of this Code of Practice is to support all parties involved in the development, manufacturing, and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.”

The Code of Practice suggests 13 guidelines for manufacturers to ensure the safety of their devices and the privacy of the consumer:

1. No default passwords;
2. Enforce a vulnerability disclosure policy with a public point of contact;
3. Regularly update software and deliver security patches over a secure channel;
4. Credentials and security-sensitive data should be stored securely;
5. Secure machine-to-machine communication through transit encryption;
6. Minimize exposed attack surfaces;
7. Ensure software integrity;
8. Personal data protection in accordance with current regulation;
9. Build resilience into IoT devices by taking into consideration power outages and of data networks;
10. Monitor system telemetry data for security anomalies;
11. Let consumers easily delete personal data from services, devices and applications;
12. Minimal effort for consumers to install and maintain devices to prevent issues caused by confusion or misconfiguration;
13. Validate data input.

This is a great step the UK has taken to protect user privacy and safety, and to possibly reduce DDoS attacks through IoT botnets.

HP Inc and Centrica Hive are among manufacturers that welcomed the Code of Practice and plan to support it.

Earlier this year, the two organizations released a Secure by Design study, urging manufactures to consider security from as early as the design process.