The UK government has unveiled a new consumer IoT law designed to prohibit the sale of smart products that fail to meet three strict security requirements.
Drawn up by the Department for Digital, Culture, Media and Sport (DCMS), the proposals would ensure all IoT kit sold in the UK allows users to set unique passwords and not revert them to any factory settings.
This would seem to combat the scourge of Mirai-like malware, which finds exposed devices on the internet and cracks them open with a list of popular default password choices.
Manufacturers of IoT devices would also have to provide a public point of contact so that anyone can report vulnerabilities and have them acted on “in a timely manner.”
The same IoT kit-makers would have to explicitly state the minimum length of time a device will receive security updates at point-of-sale, allowing consumers to decide whether they’re happy with vendor promises.
However, there’s no mention of enforcing a 'kitemark' for consumers which would allow buyers to easily spot whether products have met a minimum standard of security and quality. Such a standard technically exists in the UK, after the British Standards Institution (BSI) introduced one in May 2018, and at a European level, with the launch of ETSI TS 103 645 around a year ago.
It’s also unclear exactly how the UK would prohibit the sale of non-compliant IoT kit, especially items which can be sourced online from China and elsewhere. The majority of the world’s smart gadgets are not manufactured in the UK.
That said, the UK is still ahead of the US in its moves to drive regulation of an industry that exposes consumers and businesses to growing cyber risk.
“Consumer IoT devices can deliver real benefits to individuals and society, but techUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up. TechUK is therefore supportive of the government’s commitment to legislate for cybersecurity to be built into consumer IoT products from the design stage,” argued techUK director of markets, Matthew Evans.
“TechUK has been working on these three principles for the past four years. We support the work to ensure that they are consistent and are influencing international standards.”
Carl Wear, head of e-crime at Mimecast, claimed that the UK push could have a beneficial impact on other parts of the world, although the nature of technology innovation would require revisions to the law.
“The legislation and any accompanying guidance will then need to be re-visited rapidly and updated to maintain an adequate minimum standard of security, as necessary,” he said. “I am certain that this move by the UK will likely prompt consideration of further regulation within other jurisdictions, in order to maintain trust in their own IoT and parity with the security of others.”
The UK’s proposals follow a “world first” voluntary code of practice introduced by the government in October 2018, on which the European standard was based.