Experts: UK Gov’s IoT Security Guidelines Must Go Further

The UK government has proposed new industry guidelines designed to improve the security of IoT products, although experts have argued that they don’t go far enough.

The government’s Secure by Design review is intended to move the burden of securing smart gadgets away from consumers by ensuring it's built in from the start.

Developed in collaboration with industry and the National Cyber Security Centre (NCSC), it outlines practical steps for manufacturers, service providers and developers.

These include ensuring all passwords are unique and not resettable to a factory default. This would help mitigate the Mirai threat which co-opted hundreds of thousands of smart devices into a DDoS botnet, causing widespread internet outages.

Other steps include having a vulnerability disclosure process, encrypting sensitive data, automatic software updates with clear customer guidance and making it easy for consumers to delete personal data.

With claims that UK households will be using 420 million connected devices in three years, and increasing threats from IoT malware, it would seem the government has timed its intervention right.

However, although it claimed to be planning the implementation of a “rigorous new Code of Practice” to improve IoT security, the current proposals are not binding, meaning providers can still get away with selling poorly secured products.

That’s not necessarily a problem, according to Kaspersky Lab principal security researcher, David Emm.

“If the government allows manufacturers who comply with the standards to display a clearly-visible mark (like the British Standards Institute kitemark), it would provide an easy way for consumers to tell if something is safe, putting manufacturers who don’t comply at a disadvantage,” he argued.

NCSC technical director, Ian Levy, also hopes the new approach will result in the development of a kitemark.

“Shoppers should be given high quality information to make choices at the counter,” he said. “We manage it with fat content of food and this is the start of doing the same for the cybersecurity of technology products.”

However, information security expert, Steve Lord, claimed on Twitter that the new measures are “what happens when you put a bunch of people far removed from IoT in charge of things they simply don’t understand.”

He called for more support for start-ups to get formal security reviews, sector-specific guidance for implementors and legal compliance guidance on data protection, especially in light of the GDPR.

Ian Parker, professional services consultant at Axians, argued that despite the new proposals, UK consumers would still not be able to trust manufacturers to produce secure kit.

“Unless the IoT device is a security device in itself, the manufacturers will want to make it as cost-effective as possible with a quick production cycle. Security, on the other hand, is time consuming, costs money and is not widely understood,” he added.

Intercede CEO, Richard Parris, was also dissatisfied with the government’s proposals.

“What’s really needed is tougher rules on the core authentication technologies used on these devices. Passwords, default or not, are inherently insecure, inconvenient and a pain to use and remember. Much more robust alternatives are readily available,” he argued.

“Given these are voluntary guidelines I’m not optimistic that they will be followed by manufacturers around the world.”

The government is now consulting the industry on the shape of the new guidelines, in a process which will run until April 25.

What’s Hot on Infosecurity Magazine?