Legislating IoT Security

It’s no secret that the security of IoT (Internet of Things) devices has been one of the more woeful areas in the sphere of cyber security. Aggravating this problem has been the increasing ubiquity of these devices within home and business networks, popping up in everything from refrigerators to cars.

While they might be commonly called IoT devices, it would be more accurate to simply call them computers, often of a miniscule size, but more powerful than some desktop PCs running a decade or two ago.

It’s often been the case that most of these devices come insecurely configured with default credentials, with some running on very old GNU/Linux kernels. Frequently, these are Internet-facing devices, effectively punching a hole through any firewall sitting on a LAN. That means any vulnerabilities on these computers are also more exposed. More exposure leads to a greater likelihood that an attacker with malicious intentions discovers these vulnerabilities and remotely exploits them. Once that happens, you’ve effectively invited the attacker onto your home or business network, allowing them to cause further damage.

In order to combat this growing problem, the UK government has recently introduced the Product Security and Telecommunications Infrastructure bill in Parliament, legislation that requires IoT manufacturers, importers, and distributors to meet certain cyber security standards.

Compliance Requirements

The three key areas to this bill are:

• A ban on default passwords
• Manufacturers must provide a public point of contact to make it simpler to report security vulnerabilities.
• Manufacturers must keep customers updated on the minimum time a product will receive security updates.

The regulating body for this has yet to be named, but any non-compliance would result in hefty fines of £10 million or 4% of annual revenue, as well as up to £20,000 a day in the case of ongoing non-compliance.

Limitations

As has been pointed out by some, while the law is commendable for its goals to secure such devices, it may create additional problems. For instance, leaving it to users to set their own passwords, which may result in weak passwords being used.

In addition, without a minimum time requirement to fix a vulnerability after its disclosure, these vulnerabilities could remain open for exploitation.

It also remains to be seen how effective this legislation will be in today’s world of international commerce, where home and business customers can order directly from manufacturers. It’s important to note that the law only applies if the product is a “UK consumer connectable product”. With certain products being broadly available to buyers from all countries, it would be hard to make the case that any specific effort has been made for the product to be targeted at UK customers. Even if we assume that the law is interpreted in such a way, legal jurisdictions would limit the punitive actions of the regulatory body against foreign manufacturers.

A major part of the problem here is that manufacturers aren’t forced to adopt secure development standards alongside regular and thorough penetration testing. Measures such as these would likely increase costs for the manufacturers, but would force them to implement security at a foundational level, and by design, rather than an afterthought. Home and business users would likely end up having to pay more for these devices, but it would be a small price to pay when we consider the potential risks and damage that could arise from exploitation of these devices.