News - 21 April 2021 18:49

UK government announces plans for new IoT security law

Today, the UK government's Department for Digital, Culture, Media and Sport (DCMS) has published its response to its call for evidence seeking feedback on proposals to regulate the cyber security of consumer smart products.

A new law, which will likely be announced next month in the Queen's Speech, will require manufacturers to make sure that all consumer connected products meet minimum cyber security requirements before they are placed on the UK market. The law will also require them to publish a declaration of conformity, which should be verified by retailers.

These basic security requirements include:

Security updates: according to plans set out in the Policy Paper, makers of smart devices including phones, speakers, and doorbells will now need to inform consumers about how long their devices will be protected through security updates upfront.
A ban on universal default passwords: research, including our own with consumer champion, Which?, has repeatedly discovered a range of widely available connected devices which have been given easily guessable default passwords, such as 'password' or 'admin’. To tackle this, the new law will enforce a ban on manufacturers using default passwords.
Public point of contact for vulnerability reporting: as well as placing a ban on using default passwords, the law will also require manufacturers to provide a public point of contact for anyone to report a vulnerability.

To bridge global efforts, the legislation is due to be interoperable and compatible with other product regulations and international standards.

This news comes as the number of connected devices continue to proliferate, with almost half (49%) of UK residents purchasing at least one smart device since the start of the coronavirus pandemic.

NCC Group’s Hardware & Embedded systems practice has over the last five years researched heavily into the IoT space to uncover the security issues that continue to proliferate across the connected devices market in both the consume and enterprise sphere.

This includes working closely with UK consumer champion, Which?, to understand and expose the scope of issues, and to bring to the fore the impact of these weaknesses if compromised.

Last year, we were also named an Authorized Lab by the ioXt Alliance, the Global Standard for IoT Security and the industry group dedicated to building confidence in IoT products through multi-stakeholder security and privacy requirements, product compliance programmes, and public transparency.

Commenting on the proposed legislation, Ollie Whitehouse, global CTO at NCC Group said: "For many years now we, alongside other campaigners and leaders across the cyber security industry, have been calling for a legislation that sets a clear benchmark for the security of connected devices.

"The proposals set out today mark a significant turning point for IoT security for the journey ahead of us. It's promising to see the emphasis placed on international engagement and the role the UK can play in shaping and setting global standards. We’re also pleased to see that manufacturers are being encouraged to work towards compliance ahead of the law coming into force, which means that they should be given enough grace time to implement measures before they become a legal requirement.

“Looking ahead though, more detail on how this new law will be enforced is needed, including the body that will be responsible for spearheading the legislation. When this is decided, the enforcement body will need to have mandate, and non-compliance must have consequences to ensure that standards are set and met across the connected devices ecosystem. In turn, this will help to raise the cyber resilience of devices consumers and businesses use every day, and root out insecure devices in the UK market, and in due course, globally.

“That said, we do recognise that that this needs to be done in a way that allows a flexible and agile response to technological, international and threat actor evolution, which will require continuous monitoring, evaluation and evolution to respond to trends based on evidence.”

Topics

Technology, general

NCC Group named Authorized Lab by ioXt Alliance to enhance security standards in Internet of Things product development

NCC Group has been named as an Authorized Lab by the ioXt Alliance, the Global Standard for IoT Security and the industry group dedicated to building confidence in Internet of Things products.

15 April 2021 21:23

NCC Group honored to work with ioXt Alliance as it expands certification program for mobile and VPN security

NCC Group continues to work with the ioXt Alliance, the global standard for IoT security, as it expands its ioXt compliance program to mobile applications to advance security in the IoT industry.

16 July 2020 12:58

NCC Group welcomes DCMS call for evidence to improve consumer IoT security legislation

The UK’s Department for Digital, Culture, Media and Sport (DCMS) has released a detailed call for evidence on the legislation that will mandate security requirements for consumer Internet of Things (IoT) devices. NCC Group's global CTO, Ollie Whitehouse, shares his thoughts on this latest development for IoT security.

1 May 2019 21:15

New IoT laws are an “encouraging step” towards improved consumer security

New proposed legislation, launched by the UK’s Digital Minister Margot James, has been published to help improve the security of internet of things (IoT) devices. This includes the introduction of a new labelling system for products to help users understand how secure they are.

19 February 2019 21:11

NCC Group hails global advances in IOT security standards

Four months after the UK’s Department for Digital, Culture, Media and Sport finalised its Secure by Design Code of Practice, the global standards body, European Telecommunications Standards Institute (ETSI) has today (19 February) published its industry standard ‘Cyber Security for Consumer Internet of Things’.

23 November 2020 07:30

Smart doorbells – delivering the security you expect?

Smart doorbells are designed to make our lives easier and give us peace of mind about who may be approaching our homes – even when we’re out – but how secure are they?

1 October 2020 10:52

Lights out for smart plugs?

Many of us will be well aware of the security risks that connected devices can pose to our personal security, but what about the security of the smart plugs that help bring our connected homes together?

2 July 2021 07:07

Honeypot research reveals the connected life might not be so sweet

Smart TVs, fridges, toothbrushes, heating, plugs, cameras, kettles – these are just a few of the connected devices that have made their way into our homes. But what are the security implications of introducing more of these smart devices into our homes? Our latest research with Which? and the Global Cyber Alliance delves into this.

2 August 2021 14:00

Are dash cam users en-route to security risks?

We rely on dash cams to continuously record events that happen on the road, and to provide evidence in the event of road traffic incidents or accidents. But can we trust them to keep our data safe and secure? In our latest research with Which?, we put nine devices to the test and uncovered a number of issues.

16 November 2021 18:10

Home is where the hack is?

Smart products, such as doorbells, wireless cameras and alarms, have been increasingly popular purchases for consumers in recent years. The products can bring a range of efficiencies into the home, but a recent investigation from independent UK consumer body, Which?, shows that they could also present security and privacy risks.