Internet of Things Devices (IoT), essentially electronic devices like fitness trackers and smart light bulbs that connect to the Internet, are now part of everyday life for most.
Yet cybersecurity is still a problem, and according to Kaspersky, it’s only getting worse: There were 1.5 billion IoT device breaches in the first six months of 2021 alone, according to the antivirus vendor, nearly double the 639 million for all 2021. This is largely because security has long been an afterthought for manufacturers of typically inexpensive devices that continue to ship with guessable or default passwords and insecure third-party components.
In an effort to try to improve the security credentials of consumer IoT devices, the UK government this week introduced the Telecommunications Infrastructure and Product Safety Bill (PST) in Parliament, legislation that requires IoT manufacturers, importers and distributors to comply with certain cybersecurity standards.
The bill outlines three key areas of minimum security standards. The first is a ban on universal default passwords, such as “password” or “administrator,” which are often predetermined in a device’s factory settings and are easy to guess. The second will require vendors to provide a public point of contact to make it easier for anyone to report a security vulnerability. And, the third is that IoT vendors will also need to keep customers informed of the minimum amount of time a product will receive vital security updates.
This new cybersecurity regime will be overseen by a yet-to-be-appointed regulator, which will have the power to impose GDPR-style sanctions; businesses that fail to comply with the PSTI could be fined £10 million or 4% of their annual revenue, as well as up to £20,000 per day in the event of a continuing breach.
At first glance, the PSTI bill sounds like a step in the right direction, and the cybersecurity industry has widely praised the ban on default passwords as a “common sense” measure.
“Basic cyber hygiene, like changing default passwords, can go a long way in improving the security of these types of devices, Rodolphe Harand, CEO of YesWeHack, tells TechCrunch. “Since manufacturers are required to provide a new unique password, this will essentially offer an additional layer of protection.”
But others say the measures, particularly the ban on easy-to-guess passwords, have not been carefully thought through and could potentially create new opportunities for threat actors to exploit.
“Stopping default passwords is laudable, but if every device has a private password, who is responsible for managing this?” said Matt Middleton-Leal, CEO of Qualys. “It’s common for end users to forget their own passwords, so if the device needs to be repaired, how would the specialist gain access? This is dangerous territory where manufacturers may have to provide superuser accounts or backdoor access.”
Middleton-Leal, along with others in the industry, are also concerned about the PSTI bill’s mandatory product vulnerability disclosure. While it makes sense in principle, as it ensures that security researchers can contact manufacturers privately to flag bugs and bugs so they can be fixed, there is nothing in the invoice that requires bugs to be fixed before they are released. divulge.
“If anything, this increases the risk when the vulnerability becomes common knowledge, as bad actors have a red flag to focus their efforts and find ways to exploit it,” Middleton-Leal added.
John Goodacre, Director of Digital Security by Design at UKRI, agrees that this mandate is flawed, telling TechCrunch: “The policy accepts that vulnerabilities can still exist even in the best-protected consumer technologies with security researchers identifying regularly security flaws in the products. In today’s world, we can only continue to repair these vulnerabilities once they are found, by dressing the wound once the damage has already been done. More initiatives are needed for technology to prevent such injuries from occurring at the fundamental level.”
The third key area outlined in the bill, detailing how long devices will receive security updates, is also under fire over fears it could encourage manufacturers to discount prices once a device nears the end of its life. shelf life, which could incentivize consumers to purchase devices. who will soon run out of security support.
Some believe that the UK government is not acting fast enough. The bill, which does not consider vehicles, smart meters, medical devices, and desktop or laptop computers that connect to the Internet, has given IoT manufacturers 12 months to change their working practices, meaning that within the next year, many will continue to produce inexpensive devices that may not meet even the most basic safety standards.
“Manufacturers are likely to continue to view speed to market as a priority over device security, believing this to be the primary consideration for sustaining profits,” Kim Bromley, senior cyber threat intelligence analyst at Digital Shadows, tells TechCrunch. .
Bromley also believes the UK will have a hard time enforcing these regulations against manufacturers based in mainland China (PRC). “Some China-based manufacturers release products that are cheaper than other products on the market and therefore users will continue to buy products that may contain security flaws or at least not comply with UK legislation” Bromley said. “The new requirements will also place a huge burden on UK resellers who can use PRC-made products on their own; keeping up with requirements and changing work practices could be difficult.”
However, the solution remains unclear, although cybersecurity experts seem to universally agree that the UK government needs to be flexible in its approach to IoT security and ensure that it does not fall into the common trap of looking only the past and the present. , instead of the future.
“Both attackers and, unfortunately, unscrupulous manufacturers and vendors, are endlessly creative,” says Amanda Finch, executive director of the Chartered Institute of Information Security (CIISec). “There will inevitably be new avenues of attack that circumvent the bill’s requirements and new vulnerabilities created by lazy vendors. As such, this bill should be viewed as one step in a never-ending process of revision and refinement, rather than an end in itself.”