To address cybercrime vulnerabilities, the UK Government is introducing new legislation to protect consumers from insecure connected products such as smart televisions, home security and smartphones.
The consumer IoT market is estimated to be worth over $50bn in 2021, with a CAGR of 15.2% by 2025. With this level of growth and influx of consumer connected devices covering smart televisions, connected smart home devices, consumer wearables and smart phones, increased cybersecurity vulnerabilities will exist in digitally connected consumer technologies.
In GlobalData’s view this has been further exacerbated by the void of defined standards and legislation with which manufacturers of devices in the IoT value chain can adhere to. This contrasts with B2B connected devices where there are clearer defined digital eco-systems and points of demarcation with respect to cybersecurity that has been influenced and developed through networking and cybersecurity standards defined by cybersecurity vendors and network providers.
For consumer IoT, Internet-connected products with universal default passwords are particularly open to vulnerabilities, with irregular password updates and inadequate security measures and polices in place.
This has resulted in several malicious actors posing security breaches to devices and central networks. Some examples of recent consumer IoT data breaches include Amazon’s Ring home camera security breach giving cyber criminals access to connected home devices, and Nortek Security & Control Access Control System breach for connected homes.
More buy in by manufacturers is needed
To tackle security vulnerabilities in consumer IoT there needs to be more buy-in by manufacturers in complying to defined security standards as well as legislation, and enforcement by governments in ensuring manufacturers and players in the value chain comply to standards before IoT devices can operate in country consumer settings.
To address IoT vulnerabilities and implement appropriate legislation, the UK Government in paving the way by ensuring consumers are protected with their IoT devices. Ultimately, introduction of the new UK legislation will hold manufacturers and players selling Internet-connected devices to account for security vulnerabilities and safeguard consumer privacy and safety from cyber criminals.
The UK Government’s recent April 2021 announcement builds up on its 2018 published Cod of Practice which set out the security principles that manufacturers and key stake holders need to adhere to. Additionally, international efforts by the UK Government have involved persuading other States to follow a similar course. One of the by-products of this was the introduction of the European Standards EN 303-645 on connected product security being introduced.
What is UK Government key legislative position?
Ultimately, the UK Government’s intervention will ensure that manufacturers of products that do not meet the minimum baseline of security measures are not made available to UK consumers.
The desired outcome of the government’s intervention in this space is that the range of harms that can arise from vulnerable consumer connected products are minimised. In practical terms the UK Government through its work with the National Cyber Security Centre and industry experts has compiled twelve key policy areas supporting its new legislation. Examples of these include defining products in scope and ones that are exempt. Included are devices like smartphones, connected cameras/TVs/speakers, wearable devices, and connected home automation and alarm systems.
However, excluded are categories like second-hand products with lack of direct business connection with the manufacturer, and operational industrial connected devices. Additionally, compliance to security requirements will follow two key paths. These cover compliance to the Code of Practice for Consumer IoT Security and ETSI European Standard (EN) 303-645, and/or designated relevant standards that can be as the UK government states be implemented in lieu of the security requirements in the legislation.
The UK Government’s new legislation will certainly pave the way for manufacturers and suppliers to be accountable in ensuring appropriate security measures are in place on their devices before they are introduced to the UK market.
However, the ever-changing complex IoT eco-system, new devices and methods of access will require the UK Government to continuously enforce innovative legislative measures to provide adequate protection to consumers