IoT security measures 'need teeth' to counter the spread of hackable devices

Tech industry reacts to Whitehall review's IoT security recommendations

A collection of IoT devices

The UK government's publication of guidelines to make connected devices more secure has been welcomed by industry experts, who nevertheless say Whitehall's review could have done more to set a higher standard for IoT security.

The 13 recommendations made by the Department for Digital, Culture, Media and Sport yesterday sets out to encourage IoT vendors to make security part of the design process rather than bolting it on as an afterthought.

Measures the government has urged manufacturers to include cover regular software updates to devices to prevent hackers exploiting code-level flaws, getting rid of default passwords, and warning customers when they become aware of a vulnerability in a product.

However, the report's guidelines are not compulsory, and some experts have pointed out where they believe the review could have gone further.

'No teeth'

David Emm, who is the principal security researcher at Kaspersky Lab, feels that the guidelines lack bite, and on their own will not solve the problem of unsecured, hackable devices falling into the hands of unwitting consumers.

He believes developers need to take more responsibility when it comes to protecting devices, by including safety certificates to show their products meet the government's voluntary standards.

"If the government allows manufacturers who comply with the standards to display a clearly-visible mark like the British Standards Institute kitemark, it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don't comply at a disadvantage."

He added: "One government's guidelines, unless they have teeth, won't solve the problem entirely."

Telemetry data collection risks users' privacy

In a more detailed assessment, Bill Evans, senior director at security vendor One Identity, expressed concerns regarding the 10th recommendation for monitoring system telemetry data and what it is specifically used for.

Calling the review as a whole "a great step forward", Evans warned that this specific recommendation creates potential for an invasion of privacy.

The recommendation states that "if collected, all telemetry such as usage and measurement data from IoT devices and services should be monitored for security anomalies within it".

But Evans called for more clarity "to ensure limitations on abuse", by allowing users to turn off telemetry data collection, or defining what data that encompasses.

"The risk here is that the device manufacturers and service providers begin collecting lots of the data 'in the name of security' that really is usage data that can conveniently also be used for marketing or other purposes," he argued. "By scoping this recommendation, the framers of this guidance could eliminate this concern once and for all."

Hackers see connected devices as 'entry points' to personal data

The variety of internet-connected devices on the market provides countless opportunities for hackers to access individual and corporate data, from IoT toys that let hackers talk to children to webcams used to spy on people caught unawares.

Emily Orton, co-founder at Darktrace, feels there is still much more to be done to protect ourselves when it comes to IoT devices.

"We're now seeing hackers taking a variety of different pieces of information with a considerable amount coming from corporate targets. So, for example, we have recently seen a fish tank used to take out sensitive corporate data from a casino." The tank was connected to a PC that enabled hackers to get onto the casino's network.

"So, you may think 'why would anyone want to hack my fitness tracking device or my baby monitor?'," she added, "but they may be used as gateways to more interesting things. We need to think about where these devices are travelling and which servers and devices they may be acting as a stepping stone to, to get other information."

Taking the security burden off consumers

The government's review highlighted the need for more clarity for consumers on the need to use secure IoT devices, and to remove the burden from them of securing these devices in the first place.

Mark James, security specialist at antivirus firm ESET, welcomed this point, and emphasised that users unaware of the existence of security threats mean vendors must take on the burden of building in security themselves.

"One of the biggest issues for the consumer is knowing they need protecting and just as important, understanding what they need protecting from," James pointed out. "It's not always easy to get this across, so, if we can implement measures from the ground up to take some of the decisions away from the user and have them 'auto' or 'default', then achieving that security will certainly be much easier."

Highlighting the threats of default passwords and an absence of firmware updates to protect against hacking, he added: "The end user often does not understand the need to close these massive fissures in IoT security, so if given the choice will often go for price over security."

This likelihood means James fears that, with the review's measures currently acting only as recommendations, this uneasy tension between security and cost could prove a stumbling block in making IoT devices safer. 

"Ensuring something is easy to install, reasonably priced and secure at the same time may not be as simple as it sounds," he said.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Wisconsin Republican Party allegedly loses $2.3 million to hackers
hacking

Wisconsin Republican Party allegedly loses $2.3 million to hackers

30 Oct 2020
What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Microsoft: Iranian hackers are exploiting ZeroLogon flaw
Security

Microsoft: Iranian hackers are exploiting ZeroLogon flaw

6 Oct 2020
The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020