This week, the UK government has put forward the Product Security and Telecommunications Infrastructure (PSTI) Bill to Parliament with the aim to secure everyday consumers from IoT threats, particularly with the rise in adoption of internet-facing devices.
The Bill will introduce new cybersecurity standards that manufacturers of IoT devices must follow – these include those that also distribute and import phones, TVs, fitness devices and other handheld devices.
The legislation will also mandate that all devices that have the capabilities to connect to other devices without the need for the internet, like smart light bulbs and smart thermostats.
It will also ban the use of universal default passwords, requiring manufacturers to be clear about their processes when fixing security vulnerabilities while also creating a better framework for external parties to report issues. Manufacturers will also be responsible to investigate and manage any compliance failures.
If found non-compliant of these rules then the regulator, which will be newly formed, has the power to apply heavy fines of up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
The bill has been largely welcomed by the cybersecurity sector with the following experts providing their thoughts:
Trevor Morgan, product manager at comforte AG:
“The UK’s proposed legislation to protect consumers’ connected homes and smart devices should be welcomed by the general public. Does it solve every issue with consumer-focused cyber-crime? No, but it makes significant headway toward raising peoples’ attentions to the ever-present dangers posed by threat actors. Default passwords, for example, only encourage people to use devices without first changing to a stronger and more secure password, creating a wide-open vector for cyber-criminals to attempt to gain entry. Nobody should miss default passwords! Overall, anything like this proposed UK legislation that institutes common sense rules for vendors to follow and that makes people more aware of and engaged in cyber-security is a welcome step toward a safer and more secure digital home.”
Eoin Keary, CEO and founder of Edgescan:
“This is great news. It may not address the tens of millions of devices out there, but it’s a positive step in the right direction. Automated attacks use dictionaries of default passwords once a device and version is identified, resulting in attacks that are very cheap and easy to mount.
Some firms such as Netgear have been implementing stronger security controls for some time, and have done so by setting the password as a random word + a random integer (e.g. kitchn3789, annimal59838 etc) – a default/factory set password which is different to all other devices.
An alternative solution is to deploy multi factor authentication (MFA) which prevents password guessing attacks. However, MFA is often not suitable for many IoT devices due to the friction it causes for end users.”
Andy Norton, cyber risk officer at Armis:
“There are other UK initiatives and laws in various countries that attempt to specify design principles that would reduce the risk of a cyber breach, such as the requirement to remove default credentials from the manufacturing process. However, legislation can only do so much. What will essentially happen is that the attack surface for consumers is going to dramatically expand as cybercriminals figure out many new opportunities to extort or steal from all these new devices.
To combat this threat, some are suggesting a neighbourhood watch approach for IoT devices, something that can tell when your device starts acting strangely compared to its previous activity and compared to the activity of other similar devices. This form of cyber burglar alarm service will be discretionary but also vital as no one expects the average person to patch a toaster or create firewall rules for the doorbell.”
John Goodacre – Director of UKRI’s Digital Security by Design and Professor of computer architectures at the University of Manchester:
“Technology is relied upon by nearly everyone in today’s society in all aspects of our day to day lives. It reaches our children’s toys, our in home entertainment systems, speakers and of course our smartphones. This policy provides a basis for the security requirements of those goods to be considered by manufacturers and distributors of goods. However, the policy accepts that vulnerabilities can still exist in even the best protected consumer technologies with security researchers regularly identifying security flaws in products. In today’s world, we can only continue to patch these vulnerabilities once they are found, putting a plaster over the wound once damage may have already been done. Further initiatives are needed for technology to block such wounds from happening at the foundational level. One such initiative, funded by the UK Government through UK Research and Innovation is the Digital Security by Design Programme. Working with Industry and Academia, the programme aims to limit the impact of these vulnerabilities by taking the next step to cyber security by strengthening the hardware foundation on which software runs.”
Javvad Malik, lead security awareness advocate at KnowBe4:
In recent years IoT and smart devices have flooded both organisations and individuals homes. But the security on these devices often falls woefully short of expectations. Poor authentication such as default or hard-coded passwords is a common occurrence, which makes it trivial for attackers to take control of these devices.
We’ve seen many instances where attackers have gained access to smart devices ranging from CCTV, baby monitors, toys, doorbells etc. Such access can be used to spy, cause distress, or recruit devices into a botnet to launch DDoS attacks such as we saw with Mirai.
The new legislation to ban default passwords is a small, but extremely significant first step towards ensuring better security of IoT devices. Hopefully this will raise the profile of security amongst IoT vendors and encourage them to include more robust security measures when designing new products.