Today, the UK has announced new legislation aimed at protecting consumers who buy connected devices from hacking and other types of security risks. The law would require makers of Internet of Things devices to adhere to three security requirements, which frankly should be no-brainers but somehow aren’t.
The three requirements are:
- IoT manufacturers would have to ensure that all device passwords are unique and cannot be reset to a generic, universal factory setting.
- Companies would have to publicly provide a point of contact so that anyone—be they a developer or just a regular customer—can report bugs. The law also notes that any reported vulnerability will have to be “acted on in a timely manner.”
- Companies will have to explicitly state a minimum length of time that devices will receive security updates when the device is sold, regardless of whether it’s bought online or in an actual store.
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” Digital Minister Matt Warman said in a statement. “It will mean robust security standards are built-in from the design stage and not bolted on as an afterthought.”
In its release, the UK government noted that it expects 75 billion IoT devices to find their way into homes globally by the end of 2025. It also notes the three proposed security requirements are the results of consulting with businesses and the National Cyber Security Centre to develop best standard practices in May of last year.
The three proposals aren’t anything radical, but they are necessary. Right now, IoT devices are sort of like the wild west. For every company that ensures end-to-end encryption on their device, there’s another that doesn’t offer you the ability to change passwords or worse yet, gives you a default password for a more ‘frictionless’ setup experience. (Yours truly once tested a smart aromatherapy diffuser with a universal hardcoded password of 12345678....). You may remember the DDoS attacks in 2016 that crippled the internet—yeah, they were launched by billions of unsecured IoT devices infected with the Mirai botnet malware. Eliminating the fuzziness around IoT device passwords would go a long way in reducing that sort of security risk.
Likewise, the requirement forcing manufacturers to disclose how long they plan to support devices with security updates is crucial. Just last week, Sonos announced it planned to sunset its older products in May 2020, meaning they would neither receive new features or security patches. After a public outcry, it backtracked just a few days later to note that security updates would, in fact, continue for ‘as long as possible.’ Sonos is particularly notable, as speakers are devices that many consumers expect to last decades, compared to gadgets that become outdated more quickly like laptops or smartphones. The company has stated it plans to support devices for a minimum of five years after they’re discontinued, but in general, IoT device-makers aren’t the most forthcoming with that information. It’s also not clear what happens to IoT devices when their manufacturers go out of business.
In the U.S., the California Senate passed an IoT security bill, SB-327 which calls on manufacturers to enact ‘reasonable security features,’ which includes banning the use of default passwords. The bill, which went into effect on January 1st this year, has been criticized by some experts as being overly vague and not going far enough. Meanwhile, the IoT CyberSecurity Improvement Act of 2017 calls for security standards for connected devices—but only those used by the government. While it’s good that regulators are at least cognizant of the threats poor IoT security introduces, the UK’s approach seems to be the bare minimum U.S. regulators should aspire to.