IoT security measures 'need teeth' to counter the spread of hackable devices

Tech industry reacts to Whitehall review's IoT security recommendations

A collection of IoT devices

The UK government's publication of guidelines to make connected devices more secure has been welcomed by industry experts, who nevertheless say Whitehall's review could have done more to set a higher standard for IoT security.

The 13 recommendations made by the Department for Digital, Culture, Media and Sport yesterday sets out to encourage IoT vendors to make security part of the design process rather than bolting it on as an afterthought.

Measures the government has urged manufacturers to include cover regular software updates to devices to prevent hackers exploiting code-level flaws, getting rid of default passwords, and warning customers when they become aware of a vulnerability in a product.

However, the report's guidelines are not compulsory, and some experts have pointed out where they believe the review could have gone further.

'No teeth'

David Emm, who is the principal security researcher at Kaspersky Lab, feels that the guidelines lack bite, and on their own will not solve the problem of unsecured, hackable devices falling into the hands of unwitting consumers.

He believes developers need to take more responsibility when it comes to protecting devices, by including safety certificates to show their products meet the government's voluntary standards.

"If the government allows manufacturers who comply with the standards to display a clearly-visible mark like the British Standards Institute kitemark, it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don't comply at a disadvantage."

He added: "One government's guidelines, unless they have teeth, won't solve the problem entirely."

Telemetry data collection risks users' privacy

In a more detailed assessment, Bill Evans, senior director at security vendor One Identity, expressed concerns regarding the 10th recommendation for monitoring system telemetry data and what it is specifically used for.

Calling the review as a whole "a great step forward", Evans warned that this specific recommendation creates potential for an invasion of privacy.

The recommendation states that "if collected, all telemetry such as usage and measurement data from IoT devices and services should be monitored for security anomalies within it".

But Evans called for more clarity "to ensure limitations on abuse", by allowing users to turn off telemetry data collection, or defining what data that encompasses.

"The risk here is that the device manufacturers and service providers begin collecting lots of the data 'in the name of security' that really is usage data that can conveniently also be used for marketing or other purposes," he argued. "By scoping this recommendation, the framers of this guidance could eliminate this concern once and for all."

Hackers see connected devices as 'entry points' to personal data

The variety of internet-connected devices on the market provides countless opportunities for hackers to access individual and corporate data, from IoT toys that let hackers talk to children to webcams used to spy on people caught unawares.

Emily Orton, co-founder at Darktrace, feels there is still much more to be done to protect ourselves when it comes to IoT devices.

"We're now seeing hackers taking a variety of different pieces of information with a considerable amount coming from corporate targets. So, for example, we have recently seen a fish tank used to take out sensitive corporate data from a casino." The tank was connected to a PC that enabled hackers to get onto the casino's network.

"So, you may think 'why would anyone want to hack my fitness tracking device or my baby monitor?'," she added, "but they may be used as gateways to more interesting things. We need to think about where these devices are travelling and which servers and devices they may be acting as a stepping stone to, to get other information."

Taking the security burden off consumers

The government's review highlighted the need for more clarity for consumers on the need to use secure IoT devices, and to remove the burden from them of securing these devices in the first place.

Mark James, security specialist at antivirus firm ESET, welcomed this point, and emphasised that users unaware of the existence of security threats mean vendors must take on the burden of building in security themselves.

"One of the biggest issues for the consumer is knowing they need protecting and just as important, understanding what they need protecting from," James pointed out. "It's not always easy to get this across, so, if we can implement measures from the ground up to take some of the decisions away from the user and have them 'auto' or 'default', then achieving that security will certainly be much easier."

Highlighting the threats of default passwords and an absence of firmware updates to protect against hacking, he added: "The end user often does not understand the need to close these massive fissures in IoT security, so if given the choice will often go for price over security."

This likelihood means James fears that, with the review's measures currently acting only as recommendations, this uneasy tension between security and cost could prove a stumbling block in making IoT devices safer. 

"Ensuring something is easy to install, reasonably priced and secure at the same time may not be as simple as it sounds," he said.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now


Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Cyber attacks on manufacturing up 300% in a year

Cyber attacks on manufacturing up 300% in a year

11 May 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
UK businesses urged to join four-day working week trial
Business operations

UK businesses urged to join four-day working week trial

17 Jan 2022