Mender blog

The End of Easy Password guessing ….. this time in the UK

Just a few days after California passed a new law preventing the use of default passwords in connected devices, the United Kingdom follows up with a similar, but even more comprehensive law.

In a press release from the UK government on January 27th 2020 called “Government to strengthen security of internet-connected products”, the new law and its implications are clearly outlined. The measures taken and plans going forward are indeed promising for the security of consumers of IoT devices in the UK.

The following clearly illustrates the the UK’s government’s concern, and help us understand why governmental regulations have become a necessity:

“Forecasts vary, but some suggest that by 2025, there will be an estimated 75 billion internet connected devices worldwide. Closer to home, it is also estimated that ownership of smart devices could rise from 10 to 15 devices per UK household this year.

Many of the internet-connected devices currently on the market still lack even the most basic cyber security provisions. Over 90% of 331 manufacturers, supplying the UK market, reviewed in 2018 did not possess a comprehensive vulnerability disclosure programme up to the level we would expect”

The three new security requirements explained

The UK government started the process a couple of years ago, and the law led to 3 clear requirements to anyone manufacturing and selling internet connected products:

1) All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting

2) Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner

3) Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online

A new baseline of Security Labelling of connected products on the horizon

As you can read from the third and last requirement, all connected devices soon have to carry a label saying that it will receive security updates and for how long. This is a big thing. We have all come accustomed to Wi-fi, intel inside, bluetooth and similar labels on our electronics products. Soon consumers will for the first time see and expect to see security stickers.

The UK government has not yet decided how to enforce and what such a label should look like, but accompanying the press-release are two interesting reports (“IoT labelling online study” and “Consumer Internet of Things Security Labelling Survey Research Findings. Further, during the consultation on regulatory proposals on consumer IoT security, labeling and the enforcement of the law was given a lot of attention. We should expect to see some real outcome in the near future:

“Taking the evidence into account, deeper consideration needs to be given to this issue. Consumers need to be confident about the security of their smart devices when buying the device. With this in mind, we are therefore conducting further policy development on how UK retailers (or those selling into the UK) can best evidence security information to consumers at the point of sale, whilst still ensuring minimum disruption for the supply chain”

Unfortunately, the law doesn’t indicate a minimum time for how long a device shall receive security updates, nor does it enforce vendors to follow certain standards (like CVE monitoring). The hope lies in competition to arise and consumers becoming more aware of their privacy, security and safety risks. If so, they will use their purchasing power to select products with longer security update lifetimes.

This is only the beginning - another 13 security measures in the pipeline

The UK government acts smartly, in that they have based the new law on a Code of Practice for consumer IoT security, while acknowledging the necessity of international alignment.

Here at, we are expecting the EU, and hopefully later the whole world to come to standards that protects the consumers regardless of where they are, the same way your wi-fi will work regardless of where you use it.

The UK government has indicated today’s law is just a first step. According to their spokesperson: “As previously announced, the Government intends to pursue a staged approach to regulation in this area. We are starting with focusing on the most important security requirements (the top three guidelines in Code/ETSI TS), but, through continuous stakeholder consultation, intend to mandate further security requirements in the future to ensure that regulation is keeping pace with emerging technology.”

Below are the 13 security measures identified for baseline security of connected products, and as a manufacturer of connected products you do smart in preparing for several of these to become requirements in the near future:

1) No default passwords

2) Implement a vulnerability disclosure policy

3) Keep software updated

4) Securely store credentials and security-sensitive data

5) Communicate securely

6) Minimise exposed attack surfaces

7) Ensure software integrity

8) Ensure that personal data is protected

9) Make systems resilient to outages

10) Monitor system telemetry data

11) Make it easy for consumers to delete personal data

12) Make installation and maintenance of devices easy

13) Validate input data

You can read more about each of these measures here.

Get ready!

If you are a manufacturer of connected devices, we recommend you to start implementing security measures sooner rather than later.

Both the EU and USA have regulatory initiatives in process to enforce the industry to further improve on their security postures.

In a similar way the politicians woke up to realize the privacy concerns with social media, they are now waking up to the security, and safety of its citizens in the new world of hyper-connectivity.

The EU can impose a 4% worldwide turnover penalty on companies that don’t comply with GDPR. How much do you think they will impose on vendors that have sold millions of compromised devices that have been exploited due to lack of baseline security handling?

Recent articles

Enhancing sustainability in oil & gas: tackling methane emissions with cutting edge solutions

Enhancing sustainability in oil & gas: tackling methane emissions with cutting edge solutions

Discover how Kuva Systems overcame challenges in managing methane emission monitoring cameras in the oil & gas industry with advanced OTA updates and remote troubleshooting.
CVE-2024-37019 - Account takeover using SAML

CVE-2024-37019 - Account takeover using SAML

CVE-2024-37019 is an account-takeover vulnerability in Mender Enterprise which was fixed in versions 3.6.4 and 3.7.4.
The top challenge for autonomous vehicles: What does adding AI to cars mean for OEMs?

The top challenge for autonomous vehicles: What does adding AI to cars mean for OEMs?

The critical question for the automotive industry is: how can you shorten the time to market and innovate faster in software and AVs to meet more demanding customer requirements?
View more articles

Learn more about Mender

Explore our Resource Center to discover more about how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices.