IoT vendors urged to ditch devices' default passwords and improve security

UK government review outlines measures to protect consumers from IoT threats

The UK government today called for stronger security measures for internet-connected devices, urging manufacturers to build security into product designs.

The Department for Digital, Culture, Media & Sport (DCMS) is promoting a 13-point code of practice in its Secure by Design review, to encourage IoT vendors to make security part of the design process rather than bolting it on as an afterthought.

Advertisement - Article continues below

However, the report's guidelines are not compulsory, and the government said it plans to work with industry to embed cyber security practices into connected device design.

Minister for digital Margot James said: "We want everyone to benefit from the huge potential of internet-connected devices and it is important they are safe and have a positive impact on people's lives. We have worked alongside the industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed.

"This will help ensure that we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy."

The government estimates that each UK household has 10 internet-connected devices, a number that it predicts could increase to 15 by 2020, potentially posing serious data protection threats to UK citizens.

Advertisement
Advertisement - Article continues below

Ian Levy, technical director of the National Cyber Security Centre (NCSC), also highlighted a need for more clarity for consumers on the need to use secure IoT devices, and to remove the burden of installing complex security software from these end users.

Advertisement - Article continues below

"The NCSC is committed to ensuring the UK has the best security it can, and stop people being expected to make impossible safety judgements with no useful information," he said.

"We are pleased to have worked with DCMS on this vital review and hope its legacy will be a government 'kitemark' clearly explaining the security promises and effective lifespan of products."

"Shoppers should be given high quality information to make choices at the counter. We manage it with fat content of food and this is the start of doing the same for the cyber security of technology products."

Devices like smart wearables, webcams and even children's toys are at risk of hacking without proper security measures.

To prevent such incidents, the review's recommendations include ensuring that devices don't come with default passwords, which can be easily hacked, that vendors are able to regularly update products' software, and that they abide by a vulnerability disclosure policy and ensure their devices have built-in redundancy to prevent them from being overwhelmed by DDoS attacks.

Advertisement - Article continues below

The only binding requirement is to protect people's personal data, something that is a key element of the EU's incoming General Data Protection Regulation and the government's own Data Protection Bill

As part of the review, the government explored current industry incentives and challenges to implementing cyber security in consumer IoT. The evidence suggested that the main obstacles centre around cost and the challenge of justifying investing time and money when a business's focus is to get its product to market as soon as possible.

Additionally, manufacturers are unlikely to face immediate economic costs borne by a DDoS attack conducted through their devices, and, therefore, would not face sufficient commercial incentives to invest in a secure-by-design approach.

The government said it will consider making the changes compulsory through law after reviewing IoT vendors' progress throughout 2018.

Picture: Shutterstock

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/policy-legislation/data-protection/355250/health-sites-sharing-users-medical-data-with-major-tech
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Visit/security/cyber-security/355210/cyber-criminals-torn-over-how-to-adapt-to-post-coronavirus-threat
cyber security

Hackers torn over how to adapt their tactics to the coronavirus pandemic

3 Apr 2020
Visit/policy-legislation/data-protection/355184/supreme-court-finds-morrisons-was-not-liable-for-2014
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020
Visit/security/privacy/355048/government-may-trace-covid-19-patients-using-mobile-phone-data
privacy

UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020