The government has reacted to the need to protect consumers and businesses with the increased usage of IoT devices by publishing a Secure by Design report that shifts the burden of security from the end user to the manufacturer. The government estimates that every household in the UK owns at least 10 internet connected devices, a figure that is expected to rise to 15 by 2020. However, it’s not just in the home, increasingly IoT is being connected to infrastructure in smart cities, hospitals, industry and business. The potential of compromised, networked devices being used to launch large scale distributed denial of service (DDoS) attacks is quite real. Some reports maintain that the number of connected devices will soon exceed the world’s population. So, with online security and privacy top of mind at present, the government’s recommendations have been welcomed, even if they are not legally binding. The latter point has been the main criticism of the initiative.
The review which was developed with the help of manufacturers, retailers and the National Cyber Security Centre (NCSC), makes it clear that companies should integrate sufficient security mechanisms into devices. The central proposal of the report is a Code of Practice aimed primarily at manufacturers of consumer IoT products and associated services. Developed through extensive engagement with industry and subject matter experts, it sets out thirteen practical steps to improve the security of consumer IoT.
- No default passwords
- Implement a vulnerability disclosure policy
- Keep software updated
- Secure storage of sensitive data and credentials
- Communicate securely
- Minimise exposed attack surfaces
- Ensure software integrity
- Ensure personal data is protected
- Make systems resilient to outages
- Monitor system telemetry data
- Make it easy for consumers to delete personal data
- Make device installation and maintenance easy
- Validate input data
According to the report the first three points are priorities. Eliminating default passwords and forcing each user to create unique credentials for their device has long been recommended. As has the need to provide updated software with a clear end of life policy. Encrypted, secure communications are also recommended with manufacturers requested to minimise attack surfaces as much as possible and secure personal data.
Margot James, minister for digital and the creative industries, said the government wants “everyone to benefit from the huge potential of internet-connected devices… It is important they are safe and have a positive impact on people’s lives,” adding: “We have worked alongside industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed. This will help ensure that we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy.”