The UK government has ambitious plans to make life harder for cyber criminals, and place more responsibility on the manufacturers, or resellers of smart devices, to tick some security boxes on behalf of the consumer. Here’s the press release, with some comments in brackets;
Makers of smart devices including phones, speakers, and doorbells will need to tell customers upfront how long a product will be guaranteed to receive vital security updates under groundbreaking plans to protect people from cyber attacks.
New figures commissioned by the government show almost half (49%) of UK residents have purchased at least one smart device since the start of the coronavirus pandemic. These everyday products – such as smart watches, TVs and cameras – offer a huge range of benefits, yet many remain vulnerable to cyber attacks.
Just one vulnerable device can put a user’s network at risk. In 2017, attackers infamously succeeded in stealing data from a North American casino via an internet-connected fish tank. In extreme cases hostile groups have taken advantage of poor security features to access people’s webcams.
To counter this threat, the government is planning a new law to make sure virtually all smart devices meet new requirements:
- Customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates
- A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often preset in a device’s factory settings and are easily guessable (Who decides which passwords are easy to guess; the manufacturers, or the government? – Ed)
- Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.
Smartphones are the latest product to be put in scope of the planned Secure By Design legislation, following a call for views on smart device cyber security the government has responded to today. It comes after research from consumer group Which? found a third of people kept their last phone for four years, while some brands only offer security updates for a little over two years.
The government continues to urge people to follow NCSC guidance and change default passwords as well as regularly update apps and software to help protect their devices from cyber criminals. (One big problem is that people don’t want to constantly update their apps and software, but placing blame on consumers for cyber breaches is not the way to resolve the problem – Ed)
Digital Infrastructure Minister Matt Warman said:
Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems.
We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.
The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.
Security updates are a crucial tool for protecting people against cyber criminals trying to hack devices.
Yet research from University College London found none of the 270 smart products it assessed displayed information setting out the length of time the device would receive security updates at the point of sale or in the accompanying product paperwork. By forcing tech firms to be upfront about when devices will no longer be supported, the law will help prevent users from unwittingly leaving themselves open to cyber threats by using an older device whose security could be outdated.
Just one in five global manufacturers have a mechanism in place to allow security researchers – firms and individuals who find security flaws in devices – to report vulnerabilities. These moves have been supported by important tech associations across the globe including the Internet of Secure Things (IoXT), whose members include some of the world’s biggest tech companies including Google, Amazon and Facebook.
Brad Ree, CTO of the Internet of Secure Things (IoXT) Alliance, said:
We applaud the UK government for taking this critical step to demand more from IoT device manufacturers and to better protect the consumers and businesses that use them.
Requiring unique passwords, operating a vulnerability disclosure program, and informing consumers on the length of time products will be supported is a minimum that any manufacturer should provide. These are all included in the IoXt compliance programme and have been well received by manufacturers around the world.
National Cyber Security Centre Technical Director Dr Ian Levy said:
Consumers are increasingly reliant on connected products at work and at home. The Covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough.
DCMS’ publication builds on the 2018 Code of Practice and ETSI EN 303 645 to clearly outline the expectations on industry. To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.
It is also important to support uptake of good practice and provide industry with opportunities to innovate. I’m pleased to see the pilots, funded by DCMS, begin to test ways in which customers will be able to gain confidence in the security of these devices.
The government intends to introduce legislation as soon as parliamentary time allows. (Expect these proposals to be altered