8.5.19

The UK plans to legislate to secure IoT, but is it really the answer?


A reflection on whether this approach to addressing IoT security challenges can ‘deliver the goods’ and how consumer awareness can help


According to an article by the BBC, the United Kingdom’s Digital Minister Margot James is proposing legislation to introduce a new labelling system to show customers how secure an IoT product is.
In order to gain the necessary label, IoT devices will need to:
·         by default have a unique password,
·         state clearly for how long security updates will be made available,
·         offer a public point of contact for vulnerability disclosure.
The initiative, which is part of the UK’s bid to be a global leader in online safety, follows California’s legislation that comes into effect in 2020 and bans weak passwords on internet-connected devices. Both the proposed UK and actual Californian legislation are steps in the right direction, or at the very least will make vendors consider security at the design phase of developing an IoT product. But is legislation the answer?
Let us now pause to consider what is actually meant by IoT devices here. The Californian law offers the following definition: a connected device “means any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address”. This covers a wide variety of devices, cars, light bulbs, laptops, thermostats to cell phones, the list is endless.
On my desk I have a Bluetooth speaker. It has no password, it gathers no data, nor transmits any, or at least to my knowledge. Is this device covered by the Californian legislation? Will it need a unique password?
In the same vein, should a consumer purchasing a Tesla car in the UK expect to see a label on the car stating that it meets the basic security legislation for IoT? Or does every device within the Tesla that may communicate independently need to have a label?
So insecure
The need for security is without question, and some, maybe many, of the manufacturers of IoT devices have failed to take reasonable measures to secure their devices. And it’s this failing that has driven politicians to act. In the UK this started with a voluntary code of practice, and it is a subset of this that is now progressing towards legislation.
But as a general rule, legislation stifles innovation. The technology industry is already moving away from passwords. Bret Arsenault, Microsoft’s Chief Information Security Officer, announced that 90 percent of Microsoft employees can log on to the corporate network without a password, as the company envisages a ‘world without passwords’. Its employees are using other options, including Windows Hello and the Authenticator app, that provide alternatives such as facial recognition, fingerprints, and two-factor-authentication.
Legislation that is not effective until next year or is still being proposed is likely to be out of date by the time it takes full effect. It will compel device manufacturers to use technology that an industry is attempting to move away from in search of more secure options.
In a recent analysis of data that has been subject to breach, the UK’s National Cyber Security Centre (NCSC) found that 23.2 million user account worldwide were secured with ‘123456’, and 7.7 million used ‘123456789’ as password. The data demonstrates a lack of engagement by consumers to secure their online accounts, a complacency that creates opportunity for cybercriminals.
I recently presented at cybersecurity events both in the USA and Argentina on the need to consider security when connecting any device to a network, specifically in smart buildings. A question to the audience – “when did you last update the infotainment system in your car?” –had the same results in both places. The audience looked perplexed. They are cybersecurity experts and yet they connect their phone, a very personal device, by Bluetooth to a system they never update. Amusingly, one attendee connected with me the following day and said that neither he nor the dealer could update his system despite it being out of date.
Fast forward a few years, and you get the shiny new IoT device home, with its label showing that is has a unique password and there will be updates for five years. On first use, and for simplicity, you set the password to the same as all the other passwords on devices in the house, you plug the device in and enjoy the convenience of whatever functionality it comes with. When the manufacturer sends you an email notification that there is a firmware update, assuming you registered the device, you delete it as the device is working and why update something that works.
While legislation drives industry to make devices more secure out of the box it is likely to be education and engagement of consumers that will make them more secure in their home. I wonder if you can legislate for this?