Sales of connected devices such as smart TVs, tablets and speakers have soared during the pandemic but they often come with subpar cybersecurity. Now, the UK government plans to do something about it and that involves banning stupid passwords.
The UK government will introduce new reforms to strengthen Internet of Things (IoT) devices’ cybersecurity. The new IoT law would force makers of connected gizmos – such as Apple, Amazon, Samsung and Google – to tell customers for how long they’ll keep updating devices’ software at the point of sale.
The government also suggested an outright ban against easy-to-guess passwords such as “password” or “admin”. This echoes a recent warning from the National Cyber Security Centre (NCSC) against using passwords such as significant dates, maiden names or the names of pets – aka pawswords.
The third central point of the new IoT law – which will be presented “as soon as parliamentary time allows” – would also help users to more easily report bugs and glitches.
“Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems,” said digital infrastructure minister Matt Warman. “We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords. The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”
The IoT law comes as connected devices surged in popularity during Covid-19. According to research from Ipsos MORI, 49% of UK residents have purchased at least one smart device since the start of the coronavirus crisis.
“Consumers are increasingly reliant on connected products at work and at home,” said Ian Levy, technical director at the NCSC. “The Covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough.”
Levy added: “To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.”
There are a plethora of examples of how cybercriminals can use connected devices to commit crimes.
In 2017, the now infamous Mirai botnet attack compromised IoT devices to bring down many of the most popular sites in the US and in Europe. In the same year, hackers used a smart fish tank to break into a casino. Last year, cybercrooks compromised webcams to record and sell videos of their victims on pornographic sites. Researchers have also warned about how IoT-connected devices such as pacemakers, cars and sex toys could be hacked.
Some industry stakeholders welcomed the IoT law but said they should go further, especially when it comes to patching vulnerable software.
“Responsible disclosure should prioritise that notification of a vulnerability to customers with the intention of reducing the risks by either making the vulnerability public or applying a vendor patch,” said Joseph Carson, chief security scientist at Thycotic.
“Difficulty to patch systems should also be taken into consideration as even with public vulnerability disclosures, most systems remain unpatched for much longer, sometimes even years. Responsible disclosure is too broad today and needs to really put the customer first.
“All of these new UK laws regarding smart devices are very welcome but the UK government must continue to work with the security industry to ensure it is possible to implement and achieve these with genuinely usable security as the priority.”
The government presented its new IoT law as the market for these devices is expected to grow considerably in the years to come. Connected devices are already widely used in diverse industries including automotive, apparel, aerospace, banking, food and healthcare sectors. Market analysts believe they’ll become even more commonplace as the global 5G rollout fuels innovation.
“The IoT will change the shape and dynamic of the semiconductor industry,” GlobalData analysts noted in a recent research report. “By 2025, most data collection and processing will be done at the edge in embedded systems within IoT devices, rather than by central computers. The IoT will be populated with things that are as self-contained and autonomous as possible and have the sensors, processors, and fast memory to sense, infer and act. The enabler will be a meshed wireless network of sensors. These sensors range from the EKG sensor in the Apple Watch to the visual and shelf pressure sensors that enable Amazon’s Go stores.”
A separate GlobalData study noted that 79% of businesses owners believe IoT devices will play a role in their Covid-19 recovery.