Wednesday, May 1st, 2019 (11:05 am) - Score 2,289

The Government has today launched a new consultation on their proposal to introduce new laws that would seek to improve the security of internet connected devices, such as smart TVs, broadband ISP routers, smart speakers and other Internet of Things (IoT) style devices. But “initially” these will only be voluntary.

As most people will hopefully know by now, not all internet connected devices are as secure as they probably should be. Sadly many devices still come with a default admin password that’s the same for every unit sold (until you change it and not everybody bothers to do that) and others fail to adopt decent encryption for their communications, which in both cases leaves the kit exposed to hackers and cyber attacks.

Similarly once the hardware has been shipped then the manufacturers can become very poor at keeping them up-to-date with the latest firmware (software upgrades) in order to protect against new vulnerabilities or to correct bugs. This has been a particular problem when it comes to many third-party broadband ISP routers (one advantage of a router bundled by your ISP is that they often keep it updated automatically).

Admittedly bundled routers from ISPs aren’t perfect either and over the years even they have been targeted by sophisticated malware, such as the Mirai worm that injected the kit being used by lots of major providers. So last year the Government started the process of trying to tackle such issues by setting out their Secure by Design review, which proposed a new industry code of conduct.

The New Security Label

The new consultation essentially proposes the introduction of a mandatory new labelling scheme, which would tell consumers how secure their products are based on several key criteria (not exactly fool proof but it’s a good start). In addition, retailers will only be able to sell items with the security label, although this would initially only be launched as a voluntary scheme “until regulation comes into force.”

The label itself would mandate that a supporting device must adhere to what the Government has identified as the top three security requirements.

Top 3 Requirements for the Label * Device passwords must be unique and not resettable to any universal factory setting. * Manufacturers of IoT products must provide a public point of contact as part of a vulnerability disclosure policy. * Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.

No doubt some people will have wanted even stricter controls, although some hardware will inevitably have a shorter working life and different requirements than others. “We are mindful of the risk of dampening innovation and applying a strong burden on manufacturers of all shapes and sizes. This is why we have worked to define what baseline security looks like,” said the consultation.

Margot James, UK Digital Minister, said: “Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk. Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought. These new proposals will help to improve the safety of Internet connected devices and is another milestone in our bid to be a global leader in online safety.”

The main thrust of today’s consultation appears to centre on the question of how the Government will mandate retailers to only sell products with the new label attached. For example, manufacturers could be allowed to self declare and implement a security label of their own or one that adheres to just the top 3 requirements. Alternatively they may only be allowed to sell such products if the label “evidences compliance with all 13 guidelines” (we’ve re-published the original 13 points below).

Assuming all goes well then the new security label is expected to be introduced via its initial voluntary run “later this year.”