The UK Is Working on IoT Security Requirements

Experts have been beating the drum for years about the poor state of security in Internet of Things devices. It took a while for lawmakers to hear them, but they’ve now taken some steps to respond, with the U.K. being the latest to pay attention to the matter.

Early thus month, the U.K. government started an open consultation on “regulatory proposals regarding consumer Internet of Things (IoT) security.” Stakeholders, experts and the National Security Center (NCSC) are part of this endeavor to ensure that smart devices for consumers come with baseline security straight from the manufacturer.

The goal is to make mandatory in the U.K. a set of three requirements that would establish a minimum security standard in smart devices. The norm refers to shipping the products with better passwords, making available contact details to report vulnerabilities, and details about the product’s expiration date.

When the requirements become mandatory, new smart gadgets in the UK should have unique passwords that cannot be “resettable to any universal factory default value.” This is important because most users don’t change the default credentials and hackers know it, so they try the factory logins first.

A second point is that manufacturers have a vulnerability disclosure policy and a point of contact for researchers to send details about vulnerabilities. Currently, researchers often disclose security issues publicly because they could not find a way to contact the maker and alert them to the issues.

IoT manufacturers would also be expected to inform customers how long a product will receive security updates. This will help users choose a device that meets their needs and anticipate how long they can rely on it to receive mitigations.

Labels on the package of a product meeting these three requirements would indicate the last date it will receive security updates and state whether the device comes with built-in essential security features.

Among arguments for the proposal are the privacy and safety risks consumers are exposed to when using IoT products that lack even a basic layer of security provisions but also the threat to the wider economy; the ripples of a compromised device are not confined to its network and can reach external entities via distributed denial-of-service (DDoS) attacks.

Another catalyst for these efforts is a survey indicating that consumers expect devices to come with built-in security. This is not the case at the moment, and the packaging gives buyers no idea how secure a smart gadget is.

Image credit: gov.uk