The government has introduced proposed legislation to ensure the growing number of connected Internet of Things (IoT) devices in use in homes and businesses around the UK do not present a security risk, by requiring manufacturers to improve their security.
Under the plans, published by the Department for Digital, Culture, Media and Sport, providers of IoT gadgets will have to build basic cyber security protections into every device they sell, while buyers will also be able to access more detailed information on the security of such items.
Although the legislation currently focuses on consumer-focused IoT gadgets, from smart TVs and connected light bulbs to internet-connected toys, many of these items are also likely to find their way into business networks, where they may present an overlooked security risk.
National Cyber Security Centre technical director Dr Ian Levy said: "Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it's unacceptable that these are not being fixed by manufacturers."
Therefore, the new proposals will require mandatory implementation three of key security requirements that are set out in the current 'Secure by Design’ code of practice.
The first of these will be to ensure IoT device passwords are unique and not resettable to any universal factory setting.
Manufacturers of IoT products must also provide a public point of contact as part of a vulnerability disclosure policy.
Finally, these firms will be required to explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
At the same time, the government is consulting on the introduction of a new labelling scheme that would tell buyers how secure their devices are, with items lacking this label unable to be sold in the UK.
The plans were welcomed by security experts, with IoT researcher Ken Munro telling BBC News they will help "fix the mess that is consumer smart product security".
However, he added: "It's important that government doesn't allow the proposed regulation to be watered down during consultation. The proposals are limited, but a good start."
Share This Post, Choose Your Platform!
With over 20 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.