The End of Easy Password guessing ….. this time in the UK
Just a few days after California passed a new law preventing the use of default passwords in connected devices, the United Kingdom follows up with a similar, but even more comprehensive law.
In a press release from the UK government on January 27th 2020 called “Government to strengthen security of internet-connected products”, the new law and its implications are clearly outlined. The measures taken and plans going forward are indeed promising for the security of consumers of IoT devices in the UK.
The following clearly illustrates the the UK’s government’s concern, and help us understand why governmental regulations have become a necessity:
“Forecasts vary, but some suggest that by 2025, there will be an estimated 75 billion internet connected devices worldwide. Closer to home, it is also estimated that ownership of smart devices could rise from 10 to 15 devices per UK household this year.
Many of the internet-connected devices currently on the market still lack even the most basic cyber security provisions. Over 90% of 331 manufacturers, supplying the UK market, reviewed in 2018 did not possess a comprehensive vulnerability disclosure programme up to the level we would expect”
The three new security requirements explained
The UK government started the process a couple of years ago, and the law led to 3 clear requirements to anyone manufacturing and selling internet connected products:
1) All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
2) Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
3) Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online
A new baseline of Security Labelling of connected products on the horizon
As you can read from the third and last requirement, all connected devices soon have to carry a label saying that it will receive security updates and for how long. This is a big thing. We have all come accustomed to Wi-fi, intel inside, bluetooth and similar labels on our electronics products. Soon consumers will for the first time see and expect to see security stickers.
The UK government has not yet decided how to enforce and what such a label should look like, but accompanying the press-release are two interesting reports (“IoT labelling online study” and “Consumer Internet of Things Security Labelling Survey Research Findings. Further, during the consultation on regulatory proposals on consumer IoT security, labeling and the enforcement of the law was given a lot of attention. We should expect to see some real outcome in the near future:
“Taking the evidence into account, deeper consideration needs to be given to this issue. Consumers need to be confident about the security of their smart devices when buying the device. With this in mind, we are therefore conducting further policy development on how UK retailers (or those selling into the UK) can best evidence security information to consumers at the point of sale, whilst still ensuring minimum disruption for the supply chain”
Unfortunately, the law doesn’t indicate a minimum time for how long a device shall receive security updates, nor does it enforce vendors to follow certain standards (like CVE monitoring). The hope lies in competition to arise and consumers becoming more aware of their privacy, security and safety risks. If so, they will use their purchasing power to select products with longer security update lifetimes.
This is only the beginning - another 13 security measures in the pipeline
The UK government acts smartly, in that they have based the new law on a Code of Practice for consumer IoT security, while acknowledging the necessity of international alignment.
Here at Northern.tech, we are expecting the EU, and hopefully later the whole world to come to standards that protects the consumers regardless of where they are, the same way your wi-fi will work regardless of where you use it.
The UK government has indicated today’s law is just a first step. According to their spokesperson: “As previously announced, the Government intends to pursue a staged approach to regulation in this area. We are starting with focusing on the most important security requirements (the top three guidelines in Code/ETSI TS), but, through continuous stakeholder consultation, intend to mandate further security requirements in the future to ensure that regulation is keeping pace with emerging technology.”
Below are the 13 security measures identified for baseline security of connected products, and as a manufacturer of connected products you do smart in preparing for several of these to become requirements in the near future:
1) No default passwords
2) Implement a vulnerability disclosure policy
3) Keep software updated
4) Securely store credentials and security-sensitive data
5) Communicate securely
6) Minimise exposed attack surfaces
7) Ensure software integrity
8) Ensure that personal data is protected
9) Make systems resilient to outages
10) Monitor system telemetry data
11) Make it easy for consumers to delete personal data
12) Make installation and maintenance of devices easy
13) Validate input data
You can read more about each of these measures here.
If you are a manufacturer of connected devices, we recommend you to start implementing security measures sooner rather than later.
Both the EU and USA have regulatory initiatives in process to enforce the industry to further improve on their security postures.
In a similar way the politicians woke up to realize the privacy concerns with social media, they are now waking up to the security, and safety of its citizens in the new world of hyper-connectivity.
The EU can impose a 4% worldwide turnover penalty on companies that don’t comply with GDPR. How much do you think they will impose on vendors that have sold millions of compromised devices that have been exploited due to lack of baseline security handling?