The UK Government has detailed its ambition to shift the burden of consumer IoT security away from end-users and towards industry.
On 7 March, the Government revealed its Secure by Design policy paper. In it, the Department for Digital, Culture Media & Sport highlights two ongoing risks associated with the Internet of Things: vulnerable IoT devices and digital attacks like the now-infamous Dyn DDoS campain that capitalize on those weaknesses. It goes on to say that joint Government and industry action in response to those risks is a “matter of urgency.”
Officials believe the Government should work to improve the security of consumer IoT devices by setting incentives for industry. Subsequently, they launched a 2017 review to explore the rights and responsibilities of consumers and industry organizations when it comes to securing the Internet of Things.
This review ultimately produced a industry “Code of Practice” for developing and selling IoT devices. It makes several recommendations of device manufacturers. These include the following:
- Use unique passwords for IoT devices.
- Create a vulnerability disclosure policy with a public point of contact.
- Make all software components within smart devices capable of receiving remote updates.
Ken Munro, an analyst at security firm Pen Test Partners, thinks the review serves as a good starting point. Even so, he feels it has a ways to go before actually helping to address the challenges of IoT security. As he told BBC News:
Responsible IoT (internet of things) manufacturers are already addressing security. It’s the irresponsible manufacturers who aren’t interested, don’t care about our security or who refuse security on grounds of cost that we need to worry about. Without ‘teeth’, this standard is meaningless. Manufacturers who already play fast and loose with our security to make a quick buck from us won’t change anything.
Munro expressed to The Register the need specifically for legislation that can, among other things, impose fines on those manufacturers that neglect IoT security.
Interested parties can submit feedback on the Code of Practice, among some of the other draft proposals included in the Government officials, by emailing email@example.com before 25 April 2018.