IoT security measures 'need teeth' to counter the spread of hackable devices

Tech industry reacts to Whitehall review's IoT security recommendations

A collection of IoT devices

The UK government's publication of guidelines to make connected devices more secure has been welcomed by industry experts, who nevertheless say Whitehall's review could have done more to set a higher standard for IoT security.

The 13 recommendations made by the Department for Digital, Culture, Media and Sport yesterday sets out to encourage IoT vendors to make security part of the design process rather than bolting it on as an afterthought.

Advertisement - Article continues below

Measures the government has urged manufacturers to include cover regular software updates to devices to prevent hackers exploiting code-level flaws, getting rid of default passwords, and warning customers when they become aware of a vulnerability in a product.

However, the report's guidelines are not compulsory, and some experts have pointed out where they believe the review could have gone further.

'No teeth'

David Emm, who is the principal security researcher at Kaspersky Lab, feels that the guidelines lack bite, and on their own will not solve the problem of unsecured, hackable devices falling into the hands of unwitting consumers.

He believes developers need to take more responsibility when it comes to protecting devices, by including safety certificates to show their products meet the government's voluntary standards.

"If the government allows manufacturers who comply with the standards to display a clearly-visible mark like the British Standards Institute kitemark, it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don't comply at a disadvantage."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

He added: "One government's guidelines, unless they have teeth, won't solve the problem entirely."

Telemetry data collection risks users' privacy

In a more detailed assessment, Bill Evans, senior director at security vendor One Identity, expressed concerns regarding the 10th recommendation for monitoring system telemetry data and what it is specifically used for.

Calling the review as a whole "a great step forward", Evans warned that this specific recommendation creates potential for an invasion of privacy.

The recommendation states that "if collected, all telemetry such as usage and measurement data from IoT devices and services should be monitored for security anomalies within it".

But Evans called for more clarity "to ensure limitations on abuse", by allowing users to turn off telemetry data collection, or defining what data that encompasses.

"The risk here is that the device manufacturers and service providers begin collecting lots of the data 'in the name of security' that really is usage data that can conveniently also be used for marketing or other purposes," he argued. "By scoping this recommendation, the framers of this guidance could eliminate this concern once and for all."

Hackers see connected devices as 'entry points' to personal data

The variety of internet-connected devices on the market provides countless opportunities for hackers to access individual and corporate data, from IoT toys that let hackers talk to children to webcams used to spy on people caught unawares.

Advertisement - Article continues below

Emily Orton, co-founder at Darktrace, feels there is still much more to be done to protect ourselves when it comes to IoT devices.

"We're now seeing hackers taking a variety of different pieces of information with a considerable amount coming from corporate targets. So, for example, we have recently seen a fish tank used to take out sensitive corporate data from a casino." The tank was connected to a PC that enabled hackers to get onto the casino's network.

"So, you may think 'why would anyone want to hack my fitness tracking device or my baby monitor?'," she added, "but they may be used as gateways to more interesting things. We need to think about where these devices are travelling and which servers and devices they may be acting as a stepping stone to, to get other information."

Taking the security burden off consumers

The government's review highlighted the need for more clarity for consumers on the need to use secure IoT devices, and to remove the burden from them of securing these devices in the first place.

Advertisement - Article continues below

Mark James, security specialist at antivirus firm ESET, welcomed this point, and emphasised that users unaware of the existence of security threats mean vendors must take on the burden of building in security themselves.

"One of the biggest issues for the consumer is knowing they need protecting and just as important, understanding what they need protecting from," James pointed out. "It's not always easy to get this across, so, if we can implement measures from the ground up to take some of the decisions away from the user and have them 'auto' or 'default', then achieving that security will certainly be much easier."

Highlighting the threats of default passwords and an absence of firmware updates to protect against hacking, he added: "The end user often does not understand the need to close these massive fissures in IoT security, so if given the choice will often go for price over security."

Advertisement - Article continues below

This likelihood means James fears that, with the review's measures currently acting only as recommendations, this uneasy tension between security and cost could prove a stumbling block in making IoT devices safer. 

"Ensuring something is easy to install, reasonably priced and secure at the same time may not be as simple as it sounds," he said.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020
BlackRock banking Trojan targets Android apps
trojans

BlackRock banking Trojan targets Android apps

27 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020