The UK government has launched a voluntary code of practice for internet connected device makers, and urged industry to improve the security of their consumer IoT products.
The code – which the government claims is a ‘world first’ – has 13 guidelines, to ensure connected items are ‘secure by design’.
“From smartwatches to children’s toys, internet-connected devices have positively impacted our lives but it is crucial they have the best possible security to keep us safe from invasions of privacy or cyber attacks,” said UK minister for digital, Margot James.
“The UK is taking the lead globally on product safety and shifting the burden away from consumers having to secure their devices,” she added.
The guidelines include: no default passwords; a vulnerability disclosure policy; pushed software updates; the secure storage of credentials and security-sensitive data; encrypted in transit communications and secure key management; resilience to outages; monitoring of telemetry data; and making it easy for users to delete personal data from any device.
The government began to review IoT security practices in early 2017, its plans for a code of practice set out in its Secure by Design policy paper authored by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC).
Gartner estimates that there will be around 20 billion Internet-connected devices worldwide by 2020. There are expected to be more than 420 million internet connected devices in use across the UK within the next three years.
Dr Ian Levy, the NCSC’s technical director, said the code “couldn’t come at a more important time”.
“We want retailers to only stock internet-connected devices that meet these principles, so that UK consumers can trust that the technology they bring into their homes will be properly supported throughout its lifetime,” Levy said.
The government said that its procurement processes “will be adjusted to ensure future negotiations with suppliers of IoT products used by government departments” employ the code.
HP and Centrica Hive are the first companies to commit to the guidelines.
Centrica Hive said all of the company’s new devices – designed and manufactured from 1st January 2021 – would adhere to the 13 guidelines.
“The pledges by HP and Centrica Hive Ltd are a welcome first step but it is vital other manufacturers follow their lead to ensure strong security measures are built into everyday technology from the moment it is designed,” added James.
Last year US senators introduced a bill requiring suppliers of internet-connected devices to the US government to make their products patchable and prohibit them from supplying devices with unchangeable passwords or known vulnerabilities.
California governor Jerry Brown signed two bills around IoT security, the main provision being that "a manufacturer of a connected device shall equip the device with a reasonable security feature or features".
The legislation’s vagueness and recommendations of added security features (as opposed to fewer insecure features), has been criticised by experts.
Both bills will become law in 2020, to give manufacturers time to become compliant.
The New South Wales Cyber Security Strategy, launched last month, outlined plans for Infrastructure NSW and the government chief information security office to work on ensuring IoT devices have “cyber security risk assessments built in as part of a comprehensive assurance process”.