UK Government Releases Smart Device Security Guidelines
With the number of internet connected devices predicted to reach 20 billion worldwide by 2020, the UK government has announced voluntary guidelines to make these devices safer to use.
The government estimates that every household in the UK owns at least 10 internet-connected devices, that figure is expected to rise to 15 by 2020. With that in mind the central proposal of Secure by Design report is a draft Code of Practice aimed primarily at manufacturers of consumer Internet of Things (IoT) products and associated services.
The report said that there was a need to move away from placing the burden on consumers, who were often unware of the vulnerabilities or how to securely configure their devices. Instead it recommended manufacturers needed to take greater responsibility to ensure strong security was built in by design. The report sets out 13 practical steps to improve the security of consumer IoT devices, below are the highlights.
- No default passwords, all IoT device passwords must be unique and not resettable to any universal factory default value
- Device manufacturers have a point of contact so that security researchers can report issues immediately and disclosed vulnerabilities should be acted on in a timely manner.
- Software should be updated automatically with clear guidance for customers
- It should be easy for consumers to delete personal data
- Installation and maintenance should be easy for consumers
- Systems should be resilient to outages
Non Binding Guidelines
Shortly after the report was released, critics were quick to note the government’s preference to let the market resolve the problem itself and that the guidelines lacked the necessary teeth to enforce them. Rather than support them with law, the government has said it plans to create the right incentives to get industry on side.
Ken Munro, Analyst at security firm Pen Test Partners, said of the report: “It’s a good start but misses too much to be of great use. Responsible IoT manufacturers are already addressing security. It’s the irresponsible manufacturers who aren’t interested, don’t care about our security or who refuse security on grounds of cost that we need to worry about.
“Without ‘teeth’, this standard is meaningless. Manufacturers who already play fast and loose with our security to make a quick buck from us won’t change anything.”
Margot James, Minister for Digital and the Creative Industries, said: “We want everyone to benefit from the huge potential of internet-connected devices, and it is important they are safe and have a positive impact on people’s lives.”
“We have worked alongside industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed.”