UK government proposes laws to tighten smart device security

Research commissioned by the government shows that almost half (49 per cent) of UK residents have purchased at least one smart device since the start of the coronavirus pandemic. Cyber-security experts have frequently expressed concern about the lax security practices of many IoT device manufacturers. At present, it is often unclear how long device manufacturers will continue to provide crucial updates patching flaws, including vulnerabilities that could be exploited by hackers.

Under the 'Secure by Design' proposals, manufacturers would have to tell their customers at the point of sale the duration of time they can guarantee security software updates. It is hoped that the change will help protect users from accidentally exposing themselves to cyber threats by using an outdated device which may no longer be secure.

The proposals would also ban universal default passwords such as 'admin' or '0000', which – if left unchanged – could allow very easy access to connected devices. A 2018 study demonstrated that it can take just half an hour and virtually no technical know-how to hack devices from baby monitors to smart doorbells, often through a simple search for the brand name to find default passwords. An E&T investigation explored the ease with which these devices can be exploited.

“Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems,” said the digital infrastructure minister Matt Warman. “We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.

“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”

Under the proposals, manufacturers will also need to provide a simple point of contact for users to report any vulnerabilities. According to a government statement, just one in five global manufacturers have a mechanism in place to allow security researchers to report vulnerabilities.

The proposals were welcomed by the Internet of Secure Things (IoXT) Alliance, whose members include Google, Amazon and Facebook, describing the plan as a “critical step to demand more from IoT device manufacturers and to better protect the consumers and businesses that use them”. The group has called for requiring unique passwords, operating a vulnerability disclosure scheme, and informing consumers on how long products will be supported with software updates.

Dr Ian Levy, technical director at the National Cyber Security Centre, commented: “Consumers are increasingly reliant on connected products at work and at home. The Covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough. To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.”

John Moor, managing director of the IoT Security Foundation, said: “The [IoT] is constantly evolving and security requirements must continue to keep pace. As such, the importance of vulnerability management and updating security software cannot be understated. In the words of one of our members: if it ain’t secure, it ain’t smart.”

Annalaura Gallo, head of the Cybersecurity Tech Accord secretariat, added: “Trust in technology is a key issue of our time and security is a fundamental building block to achieve this. We welcome the leading role played by the UK government in promoting a national and international focus on this issue in a way which is designed to drive up security without imposing onerous burdens on people creating new technology for consumers.”

Joseph Carson, chief security scientist at software security company Thycotic, welcomed the proposals but suggested they should go further: “I believe the need to push passwords into the background should be the focus of the solution rather than pain for consumers to remember complex passwords for all devices. Vendors should work with best-in-breed security vendors […] rather than leaving that responsibility with the consumer. Solutions that help reduce the need for users to choose passwords such as password managers can help move them into the background and remove the pain of cyber fatigue that comes with remembering and changing them.

“Responsible public disclosure is critical and must focus on the 'do not harm' concept to reduce risks. Public disclosures tend to set the race to create exploits for vulnerabilities which can cause bigger problems for customers. However, responsible disclosure should not be just based on the vulnerability but the actual risk, as vulnerabilities are not equal,” he continued.

“We focus too much on the vendor rather than the customer. Responsible disclosure should prioritise that notification of a vulnerability to customers with the intention of reducing the risks by either making the vulnerability public or applying a vendor patch. Difficulty to patch systems should also be taken into consideration as even with public vulnerability disclosures, most systems remain unpatched for much longer, sometimes even years. Responsible disclosure is too broad today and needs to really put the customer first.

“All of these new UK laws regarding smart devices are very welcome but the UK government must continue to work with the security industry to ensure it is possible to implement and achieve these with genuinely usable security as the priority.”