Manufacturers of connected IoT smart devices will soon have to adhere to stricter security requirements under new government guidelines.
Yesterday, digital minister Matt Warman announced proposals designed to improve the cybersecurity of internet of things (IoT) devices.
It is estimated that by 2025, there will be 75 billion internet connected devices worldwide, with the number of connected devices per household expected to rise from 10 to 15 this year.
However, many products lack basic cybersecurity protection. Security flaws, combined with the fact that many users do not change the default password of their device, means that the hacking of devices such as smart security cameras or smart watches may put them at risk.
In 2018, UK government launched a voluntary code of practice for manufacturers of IoT devices, but no formal regulation exists.
The Department for Digital, Culture, Media & Sport has set out new regulatory proposals. Device passwords must be unique rather than using a universal factory setting, manufacturers must provide a public point of contact, and they must state how long security updates will be rolled out.
The proposal states that these guidelines are not a “silver bullet” but are instead intended to be the “first practical step towards more secure devices”.
Matt Warman also said that the department is also “advocating a robust and staged approach to enforcing these principles through regulation”.
“This is a very positive step from the UK government.”
Gerhard Zehethofer, vice president, IoT & Manufacturing at ForgeRock said:
“This is a very positive step from the UK government. The Internet of Things has been talked about for years as a truly transformative technology but adoption has been slower than expected. In 2012, it was predicted there would be a trillion connected devices globally by 2020, now the latest predictions are for just 20.4 billion.
“Overcoming the very real security concerns surrounding IoT will be critical to unlocking growth and IoT-specific regulations, such as this one and the law that recently came into effect in California, have a major role to play. Common-sense fixes like the banning of default passwords will help protect consumers and their data and build the trust that the IoT market needs to achieve its full potential.”
However, Ilkka Turunen, global director of Solutions Architecture at Sonatype said that the legislation does not address all of the security issues within the industry, but is a step in the right direction:
The State of Technology This Week
“When 1 in 10 software components downloaded by UK developers contains a known security vulnerability, increasing the occurrence of supply chain infiltration attacks, it’s not enough to just offer a point of contact to whom vulnerabilities are disclosed, or set an amount of time for providing updates. Manufacturers must ensure these components aren’t in their products to begin with.
“As 90% of all applications deployed in IoT devices contain third party code from Open Source, it is important to set rules on maintaining the integrity of those pieces of code. The 90-day limit proposed in the legislation to act on reported issues is too long. Modern attacks often occur within a few days of issues being reported. Manufacturers, businesses and governments need to work together to find a way of certifying the software supply chain – like a list of ingredients used to build the product.”