30.1.20

IoT laws are coming: What to expect


 No more default logins on new IoT devices if UK legislators get their way.

By Cameron Camp

I just returned from CES, where virtually every aisle was chock-full of IoT devices. But how secure are they? While we’ve been promoting security on these devices for some time now, IoT developers have been slow to adopt. Lawmakers in California took some notice in 2018, and now it seems that legislators in the United Kingdom want to take things to the next level, too.

While it’s unclear whether the proposed legislation will be adopted, UK MP’s have this to say:
“Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”

Whether or not the legislation is enacted, this sends a strong signal to the industry that government intervention seems likely. While other countries may take a wait-and-see approach, it seems likely further laws will be enacted around the globe over time.

The good news is that basic IoT security steps are not overly burdensome. Requiring the new owner to change the default login password when users log in for the first time is something the industry has known about for some time, and is not costly to implement.

Setting a lifespan for firmware updates certainly does cost more since companies would be paying to support firmware that would no longer directly result in revenue. Companies with longer term vision tend to already be thinking along those lines, but forcing them to state when support will end brings it to the fore.

It’s unclear whether customers understand the importance of knowing the support lifespan until it lapses years later and vulnerabilities are then discovered.

The industry counters obtusely by promoting frequent customer upgrades in light of new technological advances to their platforms, but it doesn’t always happen. Everyone knows someone with a 5- or 10-year-old home router, for which support has long since lapsed while the device itself is still actively in use.

And that’s the problem.
We see newly minted attacks against herds of common routers that show no signs of being retired anytime soon. These machines, once zombified, can be used to launch and amplify attacks worldwide, often without the knowledge of their owners.


One more thing: the UK lawmakers seek to compel companies to maintain a security point-of-contact, something that’s all-but-impossible to find today, especially in smaller companies.
Will this legislation slow innovation? Somewhat, but hopefully the proposed changes would only require moderate efforts from good actors to implement. And whether or not this draft of proposed legislation becomes law, some soon will, so manufacturers would do well to take note.