The UK government will be introducing legislation that imposes new security obligations on manufacturers of Internet of Things (IoT) devices. The aim of the new Security by Design legislation is to protect consumers and businesses from IoT based cyberattacks. The new legislation will also cover smartphones.
Growing Use of IoT Devices
The UK’s Department of Digital, Media and Sport (DCMS) announced the new Security by Design legislation on Wednesday. The announcement comes amidst growing use of IoT devices in the UK, partially caused by the outbreak of the Covid-19 pandemic.
UK figures show that since the start of the coronavirus pandemic in the UK, in March 2020, over half (57%) of UK residents increased their use of smart devices. Furthermore, US market intelligence firm IDC predicts that global IoT spending growth rates will be in the double digits in 2021. And they will achieve a compound annual growth rate of 11.3% over the 2020 to 2024 forecast period.
IoT Devices Security Concerns
The increased use of IoT devices has brought to light numerous IoT security concerns in recent years. IoT devices offer a huge range of benefits. However, they remain particularly vulnerable to cyberattacks, which have increased greatly over the years. It was this increase in cyberattacks on IoT devices that prompted the introduction of the new Security by Design legislation.
IoT security issues experienced in the last years have included flaws in Smartwatches leaving children at risk of being tracked by malicious actors. To flaws in smart locks leaving front doors wide open. Not to mention hackers breaking into Ring cameras in children’s bedrooms and internet connected toys putting children further at risk. IoT devices have also become a challenge for business security teams with people placing non-business-related devices on company networks.
In addition, the fact that consumers are keeping old IoT devices for longer, further compounds the problem. This is because security updates are often not available for older devices. Recent research by consumer group Which? found that a third of consumers kept their last smartphones for four years. However, some brands only offer security updates for just over two years, leaving these smartphones at increased risk of cyberattacks. Smartphones inclusion in the new legislation was thanks to this finding.
Security by Design Legislation Provisions
In light of the exponential increase of smart devices, the UK decided to take regulatory action. The DCMS proposed the new legislation to guarantee built-in security for IoT devices. If the legislation is passed, virtually all smart devices will be covered by legally binding security requirements. From fridges to phones and doorbells. The aim being to protect people from cyberattacks conducted via IoT devices.
The legislation will require IoT device manufacturers to inform customers at point-of-sale how long their product will receive security updates. They will also be prohibited from using universal default passwords in IoT devices’ factory settings that are easily guessed. Traditionally manufacturers have used default passwords such as “password” or “admin”, which undermine the smart device’s security if not changed. Furthermore, under the new legislation, manufacturers must provide a public point of contact to facilitate reporting of device vulnerabilities.
George Daglas, chief operating officer at Obrela Security Industries, explained that under the new Security by Design legislation, “IoT vendors will now be forced to apply security measures into the development stages of products, rather than bolting them on at the end or leaving users to optionally apply them. This is long overdue, particularly considering that smartphones are now one of the primary ways consumers shop and bank online.”
Not Covered by the Legislation
A DCMS spokesperson confirmed that laptops, desktops and tablets with no cellular connection will not be covered by the legislation. Also not covered are secondhand smart devices.
The UK government added it will introduce the legislation as soon as parliamentary time allows. And that the legislation will be adaptive to keep step with any new IoT device threats that may emerge.