UK, California, Cisco roll out new IoT security regimes
As Data Privacy Day (28 January) was marked internationally, the UK government moved to protect consumers with new rules governing Internet of Things (IoT) devices, such as sensors, home hubs, smart speakers, connected household appliances, and home security gadgets.
Plans unveiled by the Department for Digital, Culture, Media and Sport (DCMS) this week aim to force the manufacturers of such devices to adhere to minimum security requirements.
Under the new rules, each device’s password must be unique, rather than a standard default; manufacturers must list a public contact for the reporting of faults; and state a minimum support time for the device in terms of updates and security patches.
The move comes in the wake of multiple reports from consumer organisations and research companies warning of a lack of basic protections across a range of smart home and office devices, as products are rushed to market to capitalise on a wave of interest.
Everything from security cameras that have known default passwords to smart speakers that record conversations, robots that lack online protections, and smart TVs that send consumer data to hundreds of IP addresses have been reported over the past two years.
Online communities even exist offering free access to unsecured Web cameras worldwide, some of them in homes, offices, and public spaces.
This week, the Electronic Frontier Foundation warned that Amazon’s Ring app for its smart doorbell range shares data with third-party trackers, including Facebook.
And it is not just the domestic market that is at risk: increasing numbers of companies are using smart devices to monitor energy usage, book meeting rooms, control lighting and ventilation, minimise data centre heat, secure the premises, and more.
Meanwhile, smart factories, the Industrial Internet of Things, and connected healthcare are among countless other areas that could be vulnerable as the threat surface grows. Transport networks, connected cars, and smart city programmes could also be fertile grounds for sophisticated attacks.
Digital Minister Matt Warman echoed previous government announcements about internet safety when he said, “We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology.
“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
In 2018, the government introduced its ‘Secure by Design’ guidelines for manufacturers, but the voluntary code of conduct has not been sufficient. However, one of the challenges is that it is unclear who will enforce the new rules and, as yet, there is no requirement for mandatory product labelling.
With Warman stressing the need for “pro innovation” regulation, the subtext seems to be a desire to not alarm manufacturers as much as to protect consumers – particularly as the government’s Brexit message has focused on stripping away red tape.
The UK is not alone in wanting to secure the IoT. On 1st January this year, the US state of California introduced the so-called ‘IoT Law’ to regulate the security of connected devices. The legislation was rolled out alongside the better known California Consumer Protection Act (CCPA).
Among other stipulations, the new law mandates that IoT devices sold in the state are equipped with security measures to protect them from unauthorised access, disclosure, or modification by hackers – including a password that is unique to each device.
However, it does not affect devices that are already regulated by federal law, such as connected medical equipment and vehicles.
Meanwhile, US hardware and communications giant Cisco has announced a new IoT security architecture for large-scale professional deployments. It includes Cisco Cyber Vision, which is designed for the automated discovery of industrial assets delivered via Cisco’s Industrial IoT networking portfolio.