If successful, the UK’s IoT security legislation will benefit the security posture of home environments and have knock-on benefits for business
The UK government has announced its intention to introduce legislation to improve the security of consumer smart devices, including smartphones. This will legally enforce certain aspects of the Code of Practice the government published in October 2018.
More specifically, it is the government’s response to a consultation document published in May 2019.
“Internet connected products that have universal default passwords, are not updated against known security flaws, or are otherwise designed without security in mind pose a serious threat to individual privacy and security,” says the government in this week’s announcement. “These products also pose a wider threat if a malicious actor takes control and uses them to attack others including businesses, government and infrastructure.”
The legislation will affect all consumer connected devices, including smart speakers, smart televisions, connected doorbells, connected cameras, and smartphones – but will not apply to laptops or PCs. It will focus on three areas: vendor disclosure of security update period; banning of easily guessable default passwords; and rules to simplify vulnerability reporting.
Smartphones
If successful, this legislation will clearly benefit the security posture of the home environment – but in an age of working from home, it will have knock-on benefits for business. Better secured smartphones will reduce the likelihood of them being used by hackers to attack corporate networks, while overall consumer IoT protection will make it harder for attackers to build massive Mirai-style botnets.
The big question is whether the legislation can be successful. Big phone manufacturers such as Apple, Samsung, Google, and Nokia will undoubtedly comply with specifying the length of time for which security updates will be guaranteed. But will consumers take any notice? A survey by Which? published in December 2020 found a third of users retain their phone for more than four years while some brands continue updates for just two years.
This puts the onus on the user to be aware of the update period, and to either replace it or find some other method of securing it when the period expires. Neither of these are likely. The alternative solution – for suppliers to increase the period of guaranteed security updates – is even less likely since frequent phone replacement is an important part of their business plan.
Equally problematic is the tendency for second-hand phones to be sold in high street phone shops, and to be sold on cheap to friends when the next generation is purchased. That second-hand phone could easily be out of its security update period with neither the buyer nor seller being aware. Noticeably, second-hand products are specifically excluded from the legislation – but that makes the overall validity of the rule questionable.
Passwords
Banning easily guessed default passwords will in theory improve the posture of the device – but again suffers from enforceability. “People may buy substandard IoT devices from abroad in a few clicks, while customs have insufficient resources to monitor compliance with highly complicated legislation amid the influx of foreign goods,” comments Ilia Kolochenko, CEO and founder at ImmuniWeb. “A toothless law will unlikely deter bad practices that it aims to regulate.
“Problematically,” he adds, “most of the insecure and dangerous IoT devices are manufactured in third-party countries that are often ignorant to any judicial cooperation with the UK authorities. Thus, however good the law will be, its practical enforcement will be decisive for its eventual success.”
Vulnerability reporting
The third area of the proposed legislation will, however, benefit the consumer IoT security posture, even though it will most likely be used by professionals. White hat hackers frequently have as much difficulty in finding where to report a vulnerability as they do in finding the vulnerability. With better and stricter vulnerability reporting rules, there is likely to be better and more timely vulnerability patching.
“The intent of this requirement is to provide a transparent route for third parties to report vulnerabilities to the manufacturer, making it possible for security issues to be resolved,” says the government.
Missing from this section are details on the next stage after vulnerability reporting – vulnerability disclosure. “We focus too much on the vendor rather than the customer,” Joseph Carson, chief security scientist at Thycotic (recently merged with Centrify) told SecurityWeek. The legislative proposal will help the vendor learn about vulnerabilities, but does nothing in itself to inform the consumer. That will come down to the researchers’ choice between full or responsible disclosure.
“Responsible disclosure should prioritize the notification of a vulnerability to customers with the intention of reducing the risks by either making the vulnerability public or applying a vendor patch,” continued Carson. “Responsible disclosure is too broad today and needs to focus on the consumer.”
The general conclusion is that any new legislation to improve the security of IoT devices is to be welcomed. “We welcome this announcement as a necessary and considered development to make consumers safer,” comments John Moor, MD of the Internet of Things Security Foundation. “As an expert body, we welcome the clarity it brings for our manufacturing members both now and moving forwards.”
Security professionals, however, are less confident that it will make a huge difference– with enforceability being the primary concern. “All of these new UK laws regarding smart devices are very welcome but the UK government must continue to work with the security industry to ensure it is possible to implement and achieve these with genuinely usable security as the priority,” comments Carson.
“However good the law may be, its practical enforcement will be decisive for its eventual success,” warns Kolochenko.
Fennel Aurora, security adviser at F-Secure, goes further. “While these are small steps in the right direction, any approach that puts the onus on consumers to verify the security and privacy of goods is fundamentally missing the point,” he told SecurityWeek. “These measures only just scratch the surface of what is really needed. They are minor tweaks covering only very basic cases, and still leave almost all the responsibility on the consumers to verify and fix.”
Related: NIST Working on Global IoT Cybersecurity Standards
Related: IoT Cybersecurity Improvement Act Signed into Law
Related: DHS Publishes Principles, Best Practices for Securing IoT
