Owner security

UK law seeks mandatory security standards for IoT

COVID-19, Cybercrime, Endpoint security

Fines of up to $ 13 million would apply to non-compliant manufacturers and distributors

Prajeet Nair (@prajeetspeaks) •
25 November 2021

Parliament is considering a bill that would impose minimum security requirements for IoT devices (Photo: ISMG)

Manufacturers, importers and distributors selling many types of internet-connected devices in Britain may soon have to adhere to a new set of cybersecurity standards.

See also: Live Chat | Driving Business Growth: The Path to 24/7 Threat Detection and Response

The proposed new legislation, known as the Product Safety and Telecommunications Infrastructure Bill, would apply to a range of devices, including smartphones, televisions, speakers and toys.

Presented to Parliament on Wednesday, invoice seeks to enable “the government to ban universal default passwords, force companies to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better reporting system public of the vulnerabilities found in these products, ”according to the government department of digital, culture, media and sports. The bill was developed by DCMS in collaboration with the UK’s national incident response team, the National Cyber ​​Security Center, which is part of the intelligence agency GCHQ.

The bill also includes a proposal to appoint a regulator to oversee compliance with standards, supported by the possibility of fining violators of up to £ 10million ($ 13.3million), or up to 4% of a company’s worldwide sales, whichever is greater.

“The regulator will also be able to issue notices to companies, requiring them to comply with safety requirements, to recall their products or to stop selling or supplying them altogether.” As new threats emerge or standards develop, ministers will have the power to further mandate the security requirements that companies must meet through secondary legislation, ”says DCMS.

The bill further aims to facilitate the upgrading and sharing of infrastructure by telecommunications network operators, in order to accelerate the deployment of faster and more reliable broadband and mobile networks, the document said.

“The reforms will encourage faster and more collaborative negotiations with landowners hosting the equipment, to reduce cases of lengthy lawsuits that delay improvements in digital connectivity,” DCMS said.

Target: default passwords

Some of the more stringent security standards the bill would impose on device manufacturers: prohibiting default passports on devices, clearly informing customers of how long the manufacturer will continue to develop security updates, and fixes for a device; and provide a single point of contact for security researchers and others to report any flaws or vulnerabilities they may discover in these products.

The government says four out of five manufacturers of internet-connected devices are currently failing to implement reasonable and appropriate security measures.

Default passwords are a constant problem because many users are not encouraged to change it to a unique password, says Trevor Morgan, product manager at Comforte AG, a data security company. As a result, many devices are easy for attackers to hijack, as they have done several times in the past, such as through the Mirai botnet.

“No one should miss the default passwords,” Morgan told Information Security Media Group. “All in all, anything like this UK bill that institutes common sense rules that vendors must follow and makes people more aware and engaged in cybersecurity is a welcome step towards a safer digital home. and more secure. “

Under the proposed legislation, companies would be required to investigate all breaches of compliance, file statements of compliance and keep complete records. In addition, the law would apply to both physical stores and online retailers importing technology into Britain. Retailers would also be prohibited from selling products that do not meet minimum required safety standards.

Mandatory safety from design

If passed after being approved by both Houses of Parliament and receiving Royal Assent, the government would provide at least 12 months’ notice to allow manufacturers, importers and distributors to adjust their business practices, before the legislative framework does not come into full force.

Many security researchers have long urged any company that develops technology to maintain a simple and reliable means for them to report any flaws they might find in their products. But according to a recent study by the IoT Security Foundation, up to 80% of organizations still don’t have a clear vulnerability disclosure policy, says Laurie Mercer, security engineer at the HackerOne bug bounty program. With the proposed legislation, “the simple act of having a process in place to identify, report and remediate vulnerabilities is going to be more than just good practice and rather a legal requirement,” he said. “We are coming to a point where safety by design will be a mandatory requirement and not an afterthought. “

Homework remains widespread

As most companies continue to support employees working from home – through their own home networks and in some cases also devices, which can all connect to the corporate network – the security of home networks and devices is increasingly important. more of a commercial concern. But a recent survey by a UK-based nonprofit Who? found that a home full of smart devices could be exposed to over 12,000 hacking or scanning attacks unknown to all around the world in a single week.

“UK households have on average more than 10 different connected devices, from televisions to thermostats. While these products can bring enormous benefits and convenience to consumers, as homes become more and more connected, they can become a potential target for hackers, “according to Which? report.

The proposed law would impose security requirements for a range of computer and home network products, said John Goodacre, director of the Digital Security by Design challenge led by government agency UK Research and Innovation.

“However, the policy accepts that vulnerabilities may still exist even in the best-protected consumer technologies, with security researchers routinely identifying security vulnerabilities in products,” Goodacre said. “In today’s world, we can only continue to correct these vulnerabilities once they are discovered, putting a bandage on the wound after the damage has already been done.”

Currently, manufacturers of digital technology products are required to comply with safety regulations that prohibit their devices from causing physical harm to people, such as through overheating, sharp components, or electric shock. However, no regulations protect individuals against poor information security controls or breaches resulting from the use of such devices, says Gerhard Zehethofer, vice president of IoT at ForgeRock, an identity management software company and accesses.

“Common sense fixes like banning default passwords and encouraging manufacturers to stay on top of security updates and vulnerabilities will help protect consumers and their data, building trust and confidence. the IoT market needs to reach its full potential, ”he said.

Legislation: Opportunities and Limits

The bill would help solve another problem: a widespread lack of cybersecurity awareness among non-technical users, says George Papamargaritis, MSS director of cybersecurity firm Obrela Security Industries.

“Many consumers are completely unaware of the risks that smart devices can present and often connect them to their homes without any consideration for safety. However, research has shown that attackers use smart technology as a gateway to home networks, to spy on Internet activity, steal confidential information and, in some cases, even identities, ”says Papamargaritis. “The fact that this new law bans default passwords is a huge step forward and will encourage device manufacturers to consider security before bringing products to market, otherwise they could face destructive fines. for their business. “

But the proposed law is still the subject of debate in Parliament and an uncertain future, said Alan Calder, CEO of software company GRC International Group.

“The problem is, for all those software areas where we already have each of the three items identified for action – no default passwords, vulnerability disclosure, and identified media lifespan – we also have a failure. widespread to exploit them to improve cybersecurity, ”Calder says. “The cybersecurity industry goes to great lengths to get organizations to use strong passwords, patch vulnerabilities, and update unsupported software, but a significant number of organizations, most of them have IT and security teams, ignore warnings. “

It remains to be seen whether this new legislation would encourage more organizations to take security more seriously, says Andy Norton, Cyber ​​Risk Manager at Armis. “There’s not much legislation can do,” he says.

But as Parliament now considers the bill, many experts say the basic common sense principles it calls for would at least be a welcome boost.