The UK's IoT proposals are riddled with ‘astonishing’ gaps

Image of small robots connected to represent a botnet
(Image credit: Shutterstock)

Billions of IoT devices power everything from home routers to smart ovens, with the number only set to soar in a booming market. These devices carry security risks, however, partly because they’re often built to launch as soon as possible, with cyber security taking a backseat in the design process. Once connected devices make it into homes and businesses, manufacturers can also be slow to update them, giving rise to further risks.

The consequences of a breach are clear. Compromised IoT devices form a weak point through which attackers can target a business or individual. Large numbers of IoT devices can also be compromised to form a botnet to perform distributed denial of service (DDoS) attacks; this is a devastating form of cyber attack in its own right.

The growing security risks posed by the IoT landscape have prompted the government to propose the Product Security and Telecommunications Infrastructure (PSTI) Bill. This focuses on strengthening the security of IoT hardware, as well as bolstering networks through an update to the Electronic Communications Code.

Among its stipulations, the bill outlines the need to end default passwords, alongside plans to integrate security from the outset. It’s been welcomed by many but has also attracted criticism from experts, who say, simply, it doesn’t go far enough.

Millions of devices will remain at risk

The bill is flawed chiefly because it doesn’t cover vehicles, smart meters, medical devices and desktop and laptop computers, says Martin Tyley, head of cyber at KPMG UK. “Over the past 18 months, we’ve witnessed threat actors’ attempts to take advantage of home workers, many of whom have been forced to use personal devices,” he tells IT Pro. “The new law could do more to protect these individuals, as well as the businesses who employ them whose hybrid networks are subsequently at risk.”

David Warburton, principal threat research evangelist at F5, is also concerned about its scope. “Baby monitors, smart fridges and other home devices are named but other products, such as light bulbs and internet routers are not,” he laments. “The majority of DDoS botnets comprise broadband routers, so it’s astonishing they’re not included in the bill.”

Girl working on her laptop at home

(Image credit: Shutterstock)

The mass shift to remote working increased the scope of threats

In addition, while the regulations ask manufacturers to comply from a forward looking-date, it doesn’t address devices already out in the field. The bill, therefore, leaves millions of devices exposed to cyber security and privacy risks, adds Mark Brown, global MD of cyber security and information resilience at the British Standards Institution.

The PSTI bill aims to streamline the process for manufacturers disclosing security vulnerabilities. On paper, this makes sense, but fixes must be issued immediately to ensure criminals can’t get hold of the details to be able to perform attacks, says Tom Cox, cyber defence manager at Bridewell Consulting. “If manufacturers have to disclose known vulnerabilities publicly without being forced to issue automated fixes, attack vectors will essentially be broadcast globally, making them readily available for malicious activity.”

In addition, the bill doesn’t stipulate a minimum support period for security updates, says Phil Robinson, principal consultant and founder of cyber security consultancy Prism Infosec. “Manufacturers can still release products without a commitment to supporting them, therefore, leaving this decision in the hands of consumers who may not understand the risks.”

While the bill requires IoT manufacturers to improve default password security and regularly patch devices, the real issue centres on ensuring device owners apply the fixes, says Alan Calder, CEO of GRC International Group. “There are millions of home Wi-Fi routers out there that still have their default passwords and are not patched when necessary.”

At the same time, large numbers of IoT devices are made in China, which is a concern given sanctions already in place in the UK and US, Calder adds. It’s not clear what steps the bill envisages should be taken to ensure Chinese manufacturers don’t build backdoors into such hardware.

Grinding to a halt

While creating issues for users, the regulation could cause headaches for businesses. With companies currently facing multiple cyber risks, the PSTI bill simply adds another task to CISOs’ ever-growing to-do lists, says Tyley. Manufacturers are already struggling to stave off threat actors and comply with existing legislation. Adding another regulation into the mix could overwhelm them.”

Tyley thinks all cyber security regulations should be issued alongside guidance and support for the industries expected to comply. “Regulators and the UK Government have a view of the cyber threats these organisations face that goes well beyond what any one player in the industry could expect to understand,” he continues. “There is a responsibility to explain why it’s coming into effect and how to consider its implications.”

If businesses have to rush to comply with the regulation when it arrives, too, it could be difficult to think holistically about security. This could impact customer relationships, profit potential and market position. “It will be most damaging for smaller organisations that do not have the funds to invest. It is these manufacturers who will miss the mark on product security and privacy and may risk losing market share to competitors who get it right.”

Waiting a year for the regulation to come into place is too long for many smaller firms, adds Piers Linney, CEO of Moblox, a tech service provider for small businesses. He cites the example of a small independent baker which recently invested in IoT ovens that were targeted with ransomware. “The ovens were hacked and the business couldn’t switch them on again until they paid a ransom. This was devastating for them as it meant they were effectively put out of business.”

Somebody operating an oven using their smartphone

(Image credit: Getty Images)

There are billions of IoT devices being shipped to the market, including smart ovens

RELATED RESOURCE

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

FREE DOWNLOAD

With this risk in mind, Linney advises looking at security holistically – rather than focusing on IoT devices in isolation. He cites strong authentication, staff training and timely updates as ways of ensuring security across the business.

In its current form, it’s unlikely the bill will end the UK’s connected devices nightmare, but the legislation is only in its early stages and still has a long way to go before it becomes law. Many organisations currently lack awareness of the new legislation, and the assets that pose the risk, says Brown. While firms wait for the bill to progress, education will raise awareness, but many will fail to act until after they’re breached. As he points out: “Until an organisation suffers a significant breach, or reputational damage as a result of insecure IoT, many will be slow to embrace and comply with these new regulations.”

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.