UK Drafts Regulations for IoT Device Security
There are now more than 30 billion IoT devices on the Internet, and Statistica predicts that “The total installed base of Internet of Things (IoT) connected devices is projected to amount to 75.44 billion worldwide by 2025, a fivefold increase in ten years.” IoT devices make life easier in many ways, but the lack of security in many of those smart devices increases the possibility of threats from cybercriminals, including social engineering, advanced persistent threats, ransomware, identity and data theft, man-in-the-middle attacks, and other large-scale cyberattacks. For example, for several years we have witnessed unsecured IoT devices being easily hijacked and recruited into zombie botnets to unleash damaging distributed denial of service (DDoS) attacks.
Devices often have weak authentication mechanisms, hard-coded passwords that users cannot change, or default passwords that users seldom change. These vulnerabilities can harm private citizens and the broader economy. While there are DDoS mitigation solutions to protect organizations from such attacks, and the security weaknesses of IoT devices are often discussed and documented, they are yet to be resolved at any significant level. Unfortunately, it was not effective enough for governments to merely recommend that manufacturers voluntarily ensure that their devices can’t be hacked; there are still way too many that build IoT devices with little to no thought about their security architecture.
After studying the problem from December 2016 to February 2018, the government of the United Kingdom, in conjunction with its National Cyber Security Centre (NCSC), drafted proposals for improving the cyber security of consumer IoT products and associated services. The Consultation on Regulatory Proposals on Consumer IoT Security states: “Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”
According to the UK Department for Digital, Media, Culture and Sport, the regulatory proposals are based on three top guidelines:
- IoT device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
- Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.
This is an extremely positive move by the UK, that should make IoT devices less of an easy target in the UK, and, hopefully, more broadly across the globe, as more manufacturers comply with these regulations in order to sell into the UK. However, end users of these products and cybersecurity professionals, who are often on the wrong end of their misuse, should not become complacent by thinking this will solve all IoT-related cybercrime. The UK government is currently alone in its actions; other countries around the world, including the US, are considering similar regulations, but there are a vast number of IoT manufacturers around the globe who are not required, or willing, to abide by such regulations. And, even if/when manufacturers do take these measures, it is often up to the end users to follow best practices by changing the default passwords, or installing security patch updates.
We should also recognize that global, socially-responsible companies such as Microsoft, Apple, Cisco, and others have been focusing on software security for a couple of decades now, yet cybercriminals still manage to find new vulnerabilities in their operating systems. Stopping the use of fixed default passwords for IoT devices will help at the front door, but the cybercriminals have had over two decades perfecting the art of finding alternate entry points. Rather than relaxing, organizations need to double-down on efforts to protect their networks, services and applications from the ever-changing cyber threats associated with IoT devices.
For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments, without the downtime, or hassle, associated with other solutions. If you’d like to learn more, please contact us.
Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.