Legislating for Security in Consumer IoT

Copper Horse CEO, David Rogers discusses today’s UK government announcement on legislation for consumer IoT security.

Today marks another step along the road for IoT security – the teeth of legislation and regulation to deal with companies that do not implement security in their consumer IoT products. It is likely that the UK will become the first country in the world to legislate on IoT security.

In May 2019, the UK government launched a consultation into regulation for the security of consumer IoT. The consultation is now complete, with 49 responses and a decision to move ahead with legislating for the top 3 items from the Code of Practice for Consumer IoT Security and ETSI TS 103 645 (pdf). Work is ongoing to bring the ETSI TS to a full European Standard or EN – the draft EN is currently out for review (pdf) until the end of February with National Standards Organisations.

For everyone, the time to act is now

From a personal perspective, I really think this is a huge step. Over the past couple of years I’ve been privileged to work with a fantastic team at DCMS and the NCSC who have been really motivated to help people and understand the problem space. The consumer support for legislation is there and we know that security can be implemented by manufacturers because some companies are already doing it and the security technology is available to be used. We already knew what good looked like – we just wrote it down and prioritised it. What we’ve seen is support from a number of countries and organisations and a recognition that acting now to address the fundamental security concerns is the right way forward.

We also know to a certain extent what the real situation is like in the market. In 2018, we conducted research on behalf of the IoT Security Foundation which showed that fewer than 10% of the manufacturers we surveyed had any way for a security researcher to contact them. The results of our follow-up survey are out this quarter and will reflect a broadly similar situation. Security by design is a concept that some companies choose to ignore because they think that they can get away with it or it doesn’t matter. Well, if you want to ship products to the UK in the future, you had better get your act together pretty quickly.

Considerations

One of the things that I think we need to be aware of is the danger of penalising ‘good’ manufacturers, rather than the rogue ones. I’ve seen this before with work I’ve done against counterfeit and so-called ‘sub-standard’ electronic products. Some measures that are proposed against counterfeit only increase the cost for the ones who will abide by the rules anyway, while the rogue ones get away with continuing to do nothing. In this case, I think we have the balance right. The measures being put forward are a foundational baseline, these are things that are really fundamental, but if not implemented can cause huge consumer harm. Default passwords in consumer devices in this day and age are well, pretty stupid when there are better, safer alternatives for enrolling users to devices and for initiating products from factory defaults. What we’re also asking for is transparency:

• in access – for security researchers who want to report vulnerabilities to manufacturers easily and;
• about the minimum length of time that devices will get security updates.

Both of these areas will serve to demonstrate a responsible, public commitment by manufacturers to addressing and resolving discovered security issues. Primarily, manufacturers should be honest towards consumers.

Last year when we created our mapping website, https://iotsecuritymapping.uk , we set out to both help manufacturers to understand how the UK’s Code of Practice mapped to the existing body of work and guidance on IoT security and privacy but also to provide some reassurance that what we were saying was not unusual – in fact, there was a broad consensus on what we were recommending, the fragmentation was really just in the semantics of how documentation from across the world was written. We made that available as open data precisely to help in the process of defragmentation and facilitation of common understanding. The decision by DCMS to translate the Code of Practice into multiple languages reduced the barrier to entry and understanding and acknowledged the truly global nature of both the electronics and software supply chain as well as the designers, security experts and security researchers across the world.

Next steps

The next few months are going to be hard work. My own anxiety is that there will also always be edge cases – those points at which adjustments need to be made or possibly where we haven’t considered certain use cases. I’m certain that the team working on it are conscientious and will work to understand manufacturer concerns and the feedback from the public consultation. Ultimately in all of this, we have had a choice – sit on our hands and wait for things to get worse or get on do something and make the world a safer place. We chose action over procrastination.

More reading on this topic:

• Mapping New IoT Security Recommendations
• ETSI publishes European Standard on Consumer IoT Security
• Stepping up action on IoT insecurity – new laws and regulation
• Investigating the State of Vulnerability Disclosure in Consumer IoT Products
• Security change for good in the Internet of Things
• Consumers should be able to reject IoT products as not secure with these simple checks
• Mapping IoT Security and Privacy Recommendations and Guidance
• Discussing the UK Government’s Code of Practice for Consumer IoT Security and the Future (audio)
• Code of Practice for Security in Consumer IoT Products and Services – David Rogers at 44CON 2018 (video presentation)
• Government Reports, IoT Security, Mirai and Regulation
• A Code of Practice for Security in Consumer IoT Products and Services
• How the UK’s Code of Practice on IoT security would have prevented Mirai