Blog: Consumer Advice

UK Government gets serious about consumer IoT security. Legislation on the way

Ken Munro 01 May 2019

The Digital Minister Margot James today announced a concrete mandate for dealing with the slew of insecure IoT dross that has plagued consumers over the last few years.

The aim is simple, to ensure that the millions of household items that are connected to the internet are better protected from cyber attacks.

The basics

Although it is early in the consulting stage there are strong indications that it will be clear and effective. For example the consultation focuses on mandating the top three security requirements that are set out in the current ‘Secure by Design’ code of practice:

  • IoT device passwords must be unique and not resettable to any universal factory setting.
  • Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
  • Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.

Labelling

One of the options is to introduce a mandatory labelling scheme, where a label would indicate to consumers how secure the devices are. This means that retailers could only sell approved devices. This is a huge step forward.

Our view has always been that while labelling is a useful option, a far stronger message could be sent. If there was a legal requirement that retailers could not sell any products that don’t adhere to the top three security requirements of the Code it would force manufacturers into line.

So, the UK looks like it will be getting the best IoT legislation in the world, starting with a coherent plan for connected devices:

  • Basic cyber security features to be built into products
  • Consumers will get better information on how secure their devices are
  • Consultation now launched ahead of potential legislation

Security research CAN create change

We’ve been banging on about IoT security for the last five years. Whether that’s through blogging our research findings, presenting them, or briefing UK, US, EU and other government departments, we made it our mission to shine a light on poor practice, and contemptible behaviour from manufacturers.

Conclusion

This is a great start, something to be genuinely pleased about, but it is early days and a fairly ‘light touch’. We hope that the government will also commit to a programme of continual improvement of smart product security.