NCC Group welcomes DCMS call for evidence to improve consumer IoT security legislation

The UK’s Department for Digital, Culture, Media and Sport (DCMS) has released a detailed call for evidence on the legislation that will mandate security requirements for consumer Internet of Things (IoT) devices.

Over the coming months, the DCMS will be consulting with the public, manufacturers and industry experts to ensure the proposed legislation will work in practice when implemented.

Proposals announced earlier this year set out three basic requirements to ensure the security of consumer IoT devices:

• Device passwords must be unique and not resettable to any universal factory setting
• Manufacturers must provide a public point of contact so anyone can report a vulnerability
• Information stating the minimum length of time for which the device will receive security updates must be provided to customers

During this process, the DCMS will also scope out what powers could be granted to a designated enforcement body. This could include the ability to temporarily ban the supply or sale of a product during testing, permanently ban insecure products if a breach is identified and issue penalty fines directly to any organisations that break the law.

This work is part of the UK government’s long-term commitment to improving security across all consumer IoT devices, and builds on the implementation of the global standard implemented by theEuropean Telecommunications Standards Institute (ETSI) last year.

Last year, NCC Group worked with leading consumer body Which? to publish research detailing vulnerabilities we discovered in popular connected toys. Our findings highlighted how many device manufactures are still struggling with the basics and underlined the urgent need for more rigorous standards to be applied across connected toys for children.

Commenting on the DCMS’s plans, Ollie Whitehouse, global CTO at NCC Group said: “This is a significant step towards establishing more robust security requirements for IoT devices and giving consumers the confidence that the devices they are using are safe and secure.

“Being resilient is no longer a question of cyber literacy – it's now about empowering manufacturers with the tools and knowledge to embed security by design into consumer IoT devices from the outset.

“It’s great to see that an evidence-based approach has been followed when setting out the security requirements, but this needs to be constantly reviewed to ensure continued resilience. We also welcome the proposal of a designated enforcement body, which will give teeth to the legislation.

“Over the next few months, the cyber security industry will play a vital role in upskilling manufacturers and the enforcement body to ensure that they are able to proactively monitor compliance and improve standards. This action in the UK is just one of a number of global initiatives being introduced, and it’s brilliant to see that governments across the world are working towards a future where only the safest and most secure devices are available to consumers.”