IoT Cyber Security Set To Tighten

Most devices we buy nowadays can connect to the internet. Research has indicated that there will be 75 billion devices in home around the world by the end of 2025.

Smart TVs, cameras, washing machines, household assistants, the list is starting to become endless. However, these internet of things (IoT) can pose a serious threat, as they tend to be an open gateway for cyber criminals to infiltrate your home.

This is all set to change as on Monday 27th January 2020, Digital Minister Matt Warman announced that a new law will come into force, protecting millions of users who use internet-connected household devices.

The plans are set to be drawn up by the Department for Digital, Culture, Media and Sport (DCMS), and will deliver a set of security requirements that all consumer smart devices sold in the UK must adhere to.

These requirements are:

  • All consumer internet-connected device passwords mist be unique and not resettable to any universal factory setting
  • Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
  • Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online

Matt Warman, Digital Minister, said:

“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.

“It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”

The National Cyber Security Centre (NCSC) worked alongside the business industry to create and set a new standard for best practice requirements for companies that manufacture and sell IoT products.

Nicola Hudson, Policy and Communications Director at the NCSC, said:

“Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed.

“It will give shoppers increased peace of mind that the technology they are brining into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.”

This isn’t the first time the Government has tried to tighten the security side of IoT devices. In 2018, they produced the Secure by Design Code of Practice which advocated for stronger cyber security measures to be built into products at the design stage. This code was backed by Centrica Hive, HP Inc Geo and Panasonic.

The Government is working with international partners to ensure that the guidelines drive a consistent, global approach to IoT security. This includes a partnership with standards bodies.

In February 2019 ETSI, a global standards organisation published the first globally-applicable industry standard on consumer IoT security, which is based on the UK Government’s Code of Practice.

Matthew Evans, Director of Markets, techUK said:

“Consumer IoT devices can deliver real benefits to individuals and society but techUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up. techUK is therefore supportive of the Government’s commitment to legislate for cyber security to be built into consumer IoT products from the design stage.

“techUK has been working on these three principles for the past four years. We support the work to ensure that they are consistent and are influencing international standards.

“We look forward to working closely with Government and industry to ensure the implementation of the legislation provides protection for consumers whilst continuing to promote innovation within the IoT sector.”

John Moor, Managing Director, IoT Security Foundation said:

“Over the past five years, there has been a great deal of concern expressed toward vulnerable consumers and inadequate cybersecurity protection. Understanding the complex nature of IoT security and determining the minimum requirements has been a challenge, yet, after a thorough and robust consultation, those baseline requirements have now been universally agreed.

“The IoT Security Foundation welcomes the results of the consultation as it not only provides clarity for industry, it is great news for consumers and bad news for hackers.