Will the UK’s new IoT cybersecurity rules do enough?

The rules have been called “a good first step” but lack standardized protocols.
29 January 2020

‘Nest Hello lets you know who’s there, so you never miss a visitor or a package.’ Source: Shutterstock

As our personal lives are enhanced with greater connectivity – faster download speeds, more powerful smartphones, cloud-enabled apps – IoT devices are quickly extending beyond novelty factor, proving that cross-device connectivity really does have its perks. 

We can answer our door from work with Google Nest, ask Amazon Alexa for a new recipe, but all this ‘anytime, anywhere’ appeal must be weighed against an unfortunate reality – by connecting a multitude of often poorly-configured devices to our personal networks we are rapidly expanding our cyber-attack surface. 

Cybercriminals often seek access to devices to build powerful botnets in which to conduct DDoS attacks on online services or to access personal information, but few recent cases have been as sinister than that of the attacker who hacked a Ring camera to taunt an 8-year-old girl during the Christmas holidays. 

In-built security standards for IoT devices have historically been lax to the point that, in the US, even the FBI has warned that “your fridge and your laptop should not be on the same network.

“Keep your most private, sensitive data on a separate system from your other IoT devices,” it added.

As the number of connected devices proliferates within households and businesses, the UK – in which just 27 percent of consumers aren’t even aware of the security issue (Specops) – is making steps to curb the IoT cybersecurity risk before it spirals out of control. 

Under new government proposals, all Internet of Things and consumer smart devices will need to adhere to specific safety requirements. 

The proposed measures between the government’s Department for Culture, Media and Sport (DCMS), and the National Cyber Security Centre (NCSC) come as a result of conversations with information security experts, product manufacturers, retailers and others.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” said Matt Warman, Minister for Digital and Broadband at DCMS.

The intended legislation, which follows previously suggested (but unenforced) guidelines, would require IoT devices sold in the UK to follow three particular rules: 

  • All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.
  • Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner.
  • Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online.

“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” said Warman. 

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop  hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”

Despite the announcement, no date has been presented as to when the rules would be enforceable – legislation would be done “as soon as possible,”  it said, pending further work alongside retailers and manufacturers. 

However, the government’s proposed that any products that don’t follow these rules could be banned from sale in the UK in due course to “ensure that strong cybersecurity is built into these products by design,” said Warman.

Despite the show of intent, some commentators have said the move to enhance IoT security won’t address the root flaws with devices. Stuart Sharp, VP of Solution Engineering at OneLogin, said the move was a “welcome first step” but failed to address the core problem.

“For standard forms of authentication, there are well established and scrutinised protocols such as SAML, OAuth and OIDC. IoT lacks any such standards, and the proposed regulations do nothing to ensure that the mechanisms underpinning IoT communication are secure.”

According to a 2019 Smart Home Security Report by Avast, more than 40 percent of ‘digital households’ worldwide have at least one vulnerable device. Making matters worse, just one vulnerable device can put an entire home network at risk and the most at-risk devices aren’t always the most obvious 

Two-thirds (67 percent) of Americans and 82 percent of Brits saw security cameras as the most vulnerable devices. However, research shows that these are some of the best equipped in terms of fighting off attacks

Just 10.5 percent of respondents said smart hubs were among the most vulnerable to hacking but these have been shown to be some of the least secure – and can, of course, provide a gateway to other devices in a household.