UK mulls security ratings and immutable passwords for IoT devices
The UK government has set out a plan to secure and protect consumer IoT devices from cyber attacks. It is considering a mandatory labelling scheme to rate the security of IoT devices, and inform consumers how secure their devices and appliances really are.
It is also consulting on three security requirements, set out in its ‘Secure by Design’ code of practice, which launched at the end of last year. These propose that IoT device passwords are unique and not resettable to factory settings, manufacturers provide a point of contact as part of a vulnerability disclosure policy, and also specify how long devices will receive security updates for.
The government proposes that retailers will be banned from selling IoT products that do not adhere to these three security requirements.
Its voluntary Secure by Design code of practiceadvocates for stronger cyber security measures to be built into smart products from the design stage. Centrica Hive, HP, Geo, and Panasonic have signed up.
Amazon, Miele, Philips, Samsung, Yale, and Legrand have also committed to take steps to ensure effective security solutions are being implemented across IoT products on the market, following a government roundtable with the firms on IoT security.
“The government is working with international partners to ensure that the guidelines drive a consistent approach to IoT security. The proposals set out in the consultation have the potential to impact security of devices made across the world to meet the UK’s future standards,” said the UK government.
Digital Minister Margot James said: “Our code of practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought. These new proposals will help to improve the safety of Internet connected devices and is another milestone in our bid to be a global leader in online safety.”
Ian Levy, technical director of the National Cyber Security Centre (NCSC), said: “Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers. This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.”
A consultation document will be available on the government’s Secure by Design pages and is open for five weeks.
In February, ETSI Iaunched Technical Specification 103 645, a global standard on the cybersecurity of internet-connected consumer devices. It builds on the UK’s code of practice for Consumer IoT Security, but has been wider European and global needs. A number of signatories, signing a Cybersecurity Tech Accord, endorsed the ETSI specification in March.