UK Government Proposes IoT Security MeasuresRules Would Strengthen Password Protection and Vulnerability Reporting
With the number of installed internet of things devices expected to surpass 75 billion by 2025, the U.K. government is taking the first steps toward creating new security requirements for manufacturers to strengthen password protections and improve how vulnerabilities are reported.
The U.K. Department for Digital, Culture, Media and Sport on Monday released a set of draft proposals for new IoT security regulations following a seventh-month study. The report was based on input from the National Cyber Security Center, which is part of intelligence agency GCHQ, as well as academics, manufacturers and retailers.
The security proposals released Monday mainly focus on improving the security of passwords by ensuring that they are not resettable to any universal factory setting as well as refining the way IoT manufacturers disclose vulnerabilities in their connected devices.
The goal of these proposals is to provide greater security protections as the number of connected devices, including security cameras, routers, smart home devices and autonomous vehicles, increase. One study conducted by the U.K. think tank WRAP finds that U.K. households will have an average of 10 to 15 IoT devices by the end of 2020.
Over the next several years, as 5G networks come online, organizations of all sizes will have to contend with even more connected devices. That creates an even larger potential attack surface for launching distributed denial-of-service attacks, spreading malware or breaching networks (see: A CISO's Security Predictions for 2020).
In September, security firm F-Secure released a study of nearly 3 billion attacks recorded by its honeypots in the first half of 2019. Of that number, researchers noted that 26 percent all attacks targeted telnet ports, which are mainly used by IoT and connected devices.
Beyond Voluntary Standards
While the U.K. has used a voluntary approach to IoT security so far, Matt Warman, the minister for Digital and Broadband at the Department for Digital, Culture, Media and Sport, notes that the growing number of connect devices and the security risks that they pose require a new approach.
"Whilst the U.K. government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design," Warman says. "Citizens' privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers."
A spokesperson for the Department for Digital, Culture, Media and Sport told the BBC that there is no timeframe for when legislation might be introduced based on final recommendations.
Three Security Improvements
The proposal revealed Monday calls for manufacturers of IoT devices to take three steps:
- Make passwords unique and not resettable to any universal factory setting.
- Provide a public point of contact as part of a vulnerability disclosure policy;
- Provide guidance on when security updates for devices will be released.
These steps have their origins in the "Secure By Design" program, which was developed by the Department for Digital, Culture, Media and Sport and the National Cyber Security Center to give manufacturers a code of practice for building internet-connected devices (see: War Declared on Default Passwords).
The security problems stemming from default passwords on IoT devices are well known. For example, in 2016, the low-tech, high-impact Mirai botnet was built to exploit the default usernames and passwords used by dozens of manufacturers' IoT devices.
While manufacturers must follow government regulations when it comes to electrical and other safety features of their devices, Brian Honan, the president of Dublin-based cybersecurity consultancy BH Consulting, says the same rules should be applied to cybersecurity.
"This is a very good first step in making vendors responsible for the security of the devices they are selling," Honan tells Information Security Media Group. "The rules do not cover all aspects of IoT security and indeed the U.K. government acknowledges this by stating the rules are no silver bullet. Hopefully, over time this will evolve.
And while these proposals are a good way to secure individual devices, the government should also look for ways to do more to secure the "systems" that these devices will create, Honan says.
Other Government Action
Other government agencies and lawmakers around the world are also taking notice of how poorly designed and implemented default passwords on IoT devices remain a significant security concern.
On Jan. 1, a new law, Senate Bill No. 327, went into effect in California that requires internet-connected device manufacturers "to equip the device with a reasonable security feature or features," including better password protection.
Meanwhile, the European Union Agency for Network and Information Security, or ENISA, released its own " Good Practices for Security of IoT" report in November, which addressed issues of the software development lifecycle of connected devices and how better design and planning can reduce vulnerabilities.
Chris Morales, the head of security analytics at security firm Vectra, notes that the recommendations released in the U.K. Monday address some IoT security issues that have been in the news.
For example, in December, Wyze, an smart home device manufacturer, left a customer database unsecured and exposed to the open internet. The database contained personal information and tokens that might have been uses to access consumer cameras (see: Smart Home Device Maker Wyze Exposed Camera Database).
Also in December, the New York Times reported that a third party could hack the Ring home security product from Amazon simply by using the owner's username and password because no additional authentication is needed.
"We cannot put the onus of security on the consumer," Morales says. "And the manufacturer needs to be accountable at some level, else the market becomes flooded with cheap devices with complete disregard to consumer security and privacy. This is the state I believe we are in today. Starting with some basic security minimum standards, as proposed, does help."