Brian Sims

Cyber security law brought forward by Government to protect smart devices

THE MANUFACTURERS of smart devices including phones, speakers and doorbells will now need to tell customers up front how long a given product is guaranteed to receive vital security updates under the Government’s groundbreaking plans designed to protect people from cyber attacks.

New figures commissioned by the Government show that almost half (49%) of UK residents have purchased at least one smart device since the start of the Coronavirus pandemic. These everyday products, among them smart watches, televisions and cameras, undoubtedly offer a huge range of benefits, yet many remain vulnerable to cyber attack.

Just one vulnerable device can put a user’s network at risk. In 2017, attackers infamously succeeded in stealing data from a North American casino via an Internet-connected fish tank. In the more extreme cases, hostile groups have taken advantage of poor security features to access people’s webcams.

To counter this threat, the Government is planning a new law to make sure virtually all smart devices meet new requirements. Under the new legislation, customers must be informed at the point of sale about the duration of time for which a smart device will receive security software updates. There will be a ban on manufacturers using universal default passwords, such as ‘Password’ or ‘Admin’, that are often pre-set in a device’s factory settings and easily guessable. Manufacturers will also be required to provide a public point of contact to make it simpler for anyone to report a suspected vulnerability.

Smart phones are the latest product to be put in scope of the planned ‘Secure By Design’ legislation following a call for views on smart device cyber security. Consumer group Which? Conducted a study which found that a third of people kept their last mobile phone for circa four years, while some brands only offer security updates for a little over two years.

The Government continues to urge people to follow National Cyber Security Centre guidance and change default passwords as well as regularly update apps and software to help protect their devices from cyber criminals.

Gold mine for hackers

Digital Infrastructure Minister Matt Warman explained: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number of them still run older software with holes in their security systems. We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy. We’re also making devices harder to break into by banning easily guessable default passwords.”

Backed by tech associations around the world, the Government’s reforms will “torpedo” the efforts of online criminals and boost the wider mission to build back safer from the pandemic.

Security updates are a crucial tool for protecting people against cyber criminals trying to hack devices. However, research at University College London found none of the 270 smart products it assessed displayed information setting out the length of time the device would receive security updates at the point of sale or in the accompanying product paperwork.

By forcing tech firms to be up front about when devices will no longer be supported, the law will help prevent users from unwittingly leaving themselves open to cyber threats by using an older device whose security could be outdated.

Just one-in-five global manufacturers have a mechanism in place to allow security researchers (ie firms and individuals who find security flaws in devices) to report vulnerabilities.

These moves have been supported by important tech associations across the globe, among them the Internet of Secure Things (IoXT) Alliance, whose members are some of the world’s biggest tech companies and include Google, Amazon and Facebook.

Critical step forward

Brad Ree, CTO of the IoXT Alliance, said: “We applaud the UK Government for taking this critical step to demand more from Internet of Things (IoT) device manufacturers and to better protect the consumers and businesses that use them. Requiring unique passwords, operating a vulnerability disclosure programme and informing consumers on the length of time products will be supported is a minimum that any manufacturer should provide. These are all included in the IoXt compliance programme and have been well received by manufacturers around the world.”

The new law builds upon world-leading work the Government has already transacted to boost the security of smart devices, including publishing a Code of Practice for device manufacturers to boost the security of their products in 2018.

Last month, Digital Secretary Oliver Dowden set out the Government’s ten tech priorities which include keeping the UK safe and secure online. Further, the Government recently published its integrated review of defence and security. It has also played a vital role in developing the first major international standard for consumer device cyber security to help manufacturers protect consumers around the world from falling victim to cyber attacks.

This standard has been supported by the Cyber Security Tech Accord, an industry association whose members include Arm, Microsoft and Dell, and has also been promoted in Australia, Singapore, Finland and India, in turn demonstrating Britain’s global influence as a cyber power.

Three new voluntary assurance schemes have been launched to give shoppers confidence a smart product has been made cyber secure thanks to a £400,000 Government grant. The Smart TV Cyber Security Certification Programme will provide third party testing and give confidence to buyers of smart TV products by allowing approved devices to display a certification logo.

In parallel, the IASME IoT Security Assured initiative will be open to start-ups and smaller companies to carry out verified cyber security self-assessment of their products to ensure they meet high standards.

Reliant on connected products

Dr Ian Levy, technical director at the National Cyber Security Centre, observed: “Consumers are increasingly reliant on connected products at work and at home. The COVID-19 pandemic has only accelerated this trend and, while manufacturers of these devices are improving security practices gradually, it’s not yet good enough.”

Levy continued: “The Department for Digital, Culture, Media and Sport’s publication builds on the 2018 Code of Practice and ETSI EN 303 645 to clearly outline the expectations placed on industry. To protect consumers and build trust across the sector, it’s vital that manufacturers take responsibility and pay attention to these proposals now. It’s also important to support the uptake of good practice and provide industry with opportunities to innovate. I’m pleased to see the pilots funded by the Government beginning to test ways in which customers will be able to gain confidence in the security of these devices.”

Annalaura Gallo, head of the Cyber Security Tech Accord’s secretariat, responded: “Trust in technology is a key issue of our time and security is a fundamental building block to achieve this. We welcome the leading role played by the UK Government in promoting a national and international focus on this issue in a way which is designed to drive up security without imposing onerous burdens on people creating new technology for consumers.”

John Moor, managing director of the Internet of Things Security Foundation, added: “We welcome this announcement as a necessary and considered development to make consumers safer. As an expert body, we welcome the clarity it brings for our manufacturing members both now and moving forwards.

The Internet of Things is constantly evolving and security requirements must continue to keep pace. As such, the importance of vulnerability management and updating security software cannot be understated. In the words of one of our members: ‘Remember that, if it isn’t secure, it isn’t smart’.”

Rocio Concha (director of policy and advocacy at Which?) concluded: “New laws to tackle this issue are a crucial step as there are a vast array of connected devices with security flaws, many of which are currently on the market, that put consumers at risk from cyber criminals. We share the Government’s ambition to make the UK one of the safest places in the world for consumers to use smart technology. This desire must be backed up by strong enforcement, ensuring people can gain effective redress when they purchase devices that fail to meet security standards and leave them exposed to data breaches and scams.”

The Government fully intends to introduce the new legislation as soon as time in the Houses of Parliament allows.

Company Info

Security Matters

Western Business Media
Dorset House
64 High Street
East Grinstead
RH19 3DE