The Internet of Things (IoT) gets some bad press. We all feel a little ‘creeped out’ when we see an advert pop up for the local garden centre when we open YouTube – was Alexa listening in?
IoT devices generate and consume our personal data. As such, they are a potential cybersecurity nightmare. A report on IoT security from Gemalto is pretty scary reading. A key finding from the report shows that almost half of businesses can’t even tell if their IoT devices have been breached. And consumer IoT devices fare no better. With data breach statistics showing never-ending increases, the last thing you want is to add more ways to lose data.
But what can we do?
The Gemalto report also highlights that over three-quarters of companies want governments to take more of an active role in IoT security. Legislation that enforces security rules will certainly help. The UK government seem to be heeding this warning and have just released a consultation paper on regulatory proposals regarding consumer Internet of Things (IoT) security.
Regulation and the IoT – a UK Perspective
On May 1, the UK Government Department for Digital, Culture, Media & Sport released a consultation paper on regulatory controls for IoT devices. This comes on the back of a “Code of Practise for IoT devices” – the code being signed up for by the likes of HP and Centrica.
Code of Practise is an introductory paper and is a voluntary endeavour. It sets out practical security advisories for the manufacturers of consumer IoT devices. The overriding principle of the paper is to “design with security in mind”. The advice it gives on how to implement Security by Design, includes 13 best practises – three examples from the list give a flavour:
- Set no default password. In a previous blog post, we talked about the Mirai botnet attack of 2017. This was a massive Distributed Denial of Service (DDoS) attack that used IoT devices. The attack was able to be carried out because of default administrator passwords making it easy to hack devices.
- Make it easy for consumers to delete personal data. A simple, yet effective way for consumers to have control over their data. This will also tick the GDPR boxes of allowing users to access their data and update and change data.
- Minimise exposed attack surfaces. This one is about making sure access across the entire device is controlled. This is called the ‘principle of least privilege’ and it is a paradigm in security. It is part of something known as the Zero Trust model which sets out to control every aspect of how someone or something accesses an IT resource. This includes physical and digital access as well as controlling programmatic access through areas such as open ports.
Advisories are great. They show what should be done and build up best practise use cases. But they need to have some weight behind them. This is where legislation comes in, but it takes time. On May 1 Digital Minister Margot James announced plans to begin the consultation phase of what will become, hopefully, a new regulation for consumer IoT security in the UK.
Consultation Paper on Regulatory Proposals for IoT Security
The consultation paper, deadline of 5th June 2019, is for anyone involved in the manufacture and sale of consumer IoT devices. This includes academics and consumer groups. The paper hopes to gather the views of the industry on how to ensure consumers understand the risks of using an IoT device and what the industry can do to mitigate those risks. The proposals specifically “seek to better protect consumers’ privacy and online security which can be put at risk by insecure devices”.
The proposals wish to set a baseline of security for all consumer IoT devices that do not weaken the UK’s position of innovation in the area.
One of the expected outcomes of the consultation is to develop the idea of having an ‘IoT security label’. This label will inform the consumer about the level of protection. It will act like a kind of self-certification showing how well the device fits the security criteria of the advisories. Initially, the label will be used on a voluntary basis.
The label will be based on the Code of Practice for Consumer IoT Security (mentioned above). These three parts from that guideline are fundamental:
- IoT device passwords must be unique and not resettable to any universal factory setting
- Manufacturers of IoT devices need to provide a public point of contact as part of a vulnerability disclosure policy
- Manufacturers of IoT devices need to explicitly state the minimum length of time for which the product will receive security updates
What’s Next in IoT Security Regulation?
The next step on after consultation looks likely to be mandatory compliance with the code of practise. In an ideal world, the designers and manufacturers of IoT devices and any other technology would place security as a central remit of design. But we live in a world where first to market counts for more than the security of personal data. Legislation acts in many ways to level the playing field. It forces all involved to fit with a determined set of rules. I’m not saying this is perfect. Smaller manufacturers may find the implementation of the regulation onerous in terms of time and money. However, data protection is of paramount importance. We can no longer leave it to chance.
Data breaches happen all of the time and the IoT needs to be regulated and IoT-based data protected in the same way other industries have to comply with data protection laws.