The UK government has introduced a proposed new law designed to improve IoT security-by-design and demand that retailers can only sell devices featuring an explanatory label for consumers.
The new rules build on a voluntary code of practice introduced last year which was intended to force manufacturers to build security protections into products at the design stage.
The government is now consulting on how to go further, in an attempt to improve the baseline security of products and consumers’ ability to differentiate between those on the shelves.
Also mooted are proposals to make the main elements of the code of practice mandatory, including requirements that: IoT device passwords be unique and can’t be reset to factory defaults; manufacturers provide a vulnerable disclosure policy and public point of contact; and manufacturers state the minimum length of time during which the device will receive security updates.
Although the labeling scheme will initially be voluntary, the plans have been billed as another milestone in the government’s efforts to make the UK a global leader in online safety.
“This is an important first step in creating flexible and purposeful regulation that stamps out poor security practices, which techUK’s research shows can act as significant barriers on the take-up of consumer IoT devices,” said techUK CEO, Julian David.
“The proposals set out have the potential to positively impact the security of devices made across the world and it is good to see the government is working with international partners to ensure a consistent approach to IoT security. TechUK looks forward to responding to this consultation on behalf of our members.”
F-Secure principal consultant, Tom Gaffney, said the security vendor was critical of the code of conduct as it was voluntary, but added that “by proposing a legal framework the UK government is taking a step in the right direction.”
“As many as one third of IoT attacks abuse weak passwords and legislating to fix this basic issue can only be a good thing,” he argued.
Katie Vickery, partner at international law firm Osborne Clarke, said even the voluntary code of conduct was intended to alter the legal liability framework for IoT products.
“This proposed new legislation would make that shift absolutely clear – manufacturers would have to meet minimum security standards on all IoT devices sold in the UK,” she added. “The use of voluntary labeling will also encourage compliance, as consumers seek out those devices that give them some added assurance.”
Tim Rawlins, director and senior adviser at NCC Group, argued that the proposed laws would put pressure on manufacturers to improve baseline security.
“But there needs to be a continuing focus on driving improvements in security in IoT products across the design and manufacturing industry. Security needs to be a firm focus well before any of these IoT devices end up in users’ hands,” he added.