November 30, 2021

UK Law Ensures Smart Device Security for Consumers

The ownership and use of connected devices/products has increased dramatically in recent years. On average there are nine in every UK household, with forecasts suggesting there could be up to 50 billion worldwide by 2030. People assume these products are secure, but only one in five manufacturers have appropriate security measures in place for their connectable products.

In the first half of 2021 there were 1.5 billion attempted compromises of Internet of Things (IoT) devices, double the 2020 figure. The UK’s National Cyber Security Centre last week revealed it had dealt with an unprecedented number of cyber incidents over the past year.

The Product Security and Telecommunications Infrastructure (PSTI) Bill places new cybersecurity standards on manufacturers, importers, and distributors of internet-connectable devices, such as phones, tablets, smart TVs and fitness trackers. The priority is now on making these products more secure against cyber-attacks and protecting individual privacy and security. PSTI will prevent the sale of consumer connectable products in the UK that do not meet baseline security requirements.

Failure to comply with the new legislation could result in heavy fines issued by a new regulator – up to £10m of 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. The regulator will also be given the power to require firms to comply with the security requirements, recall their products or stop selling or supplying them altogether. The legislation is further bolstered by the fact ministers will be able to mandate further security requirements as new threats emerge.

Common-sense fixes like the banning of default passwords and incentivizing manufacturers to keep on top of security updates and vulnerabilities will help protect consumers and their data. However, there are some areas which need don’t seem that practical. For example, the notion of reducing risk through vulnerability disclosure when vulnerabilities are found, which in fact could do the opposite and increase risk if everyone knows about vulnerabilities before its fixed – there is no requirement to fix a vulnerability before it discloses… surely this is great advertisement to cybercriminals!

Use case example 1: Security cameras

IP enabled Security Cameras have been an easy target for malicious attackers for a long time now, since the bulk of them all suffer from default username/password syndrome and a lot of the cameras out there don’t have any built in Authentication or security provision. You only have to search online for Camera and DDoS and be returned with lots of examples. Default username and password are an easy entry point to utilise cameras for DDoS. The problem I see manufactures facing is how to key and manage every individual password and user credentials for each Camera for millions of devices, the way they manage this to date is by advising customers to update the default username and password as soon as they get the product, unfortunately this doesn’t happen in 99% of the time! An alternative to this is to have solution to fully automate the password management so you can make them unique and rotate them. Another basic security provision is to enable All cameras with TLS/SSL between the camera and App/VMS to ensure a Cameras Authenticity and to enable a level of privacy. This of course comes with similar challenges of passwords, how do manufactures make them unique for each camera requires a management solution – It’s a challenge at scale.

Use case example 2: IoT gateways

Gateways are used in a lot of IoT Deployments where many different sensor nodes & devices connect to the gateway, this is an aggregation point from these sensor nodes back to applications & cloud infrastructure. Quite a big proportion of gateways also suffer from the same credentialing challenges as for Cameras. It ultimately boils down to how to manage large numbers of unique credentials at scale. Most gateway vendors are not setup for this challenge, and to date typically focus more on how to sell more gateways and not solve these challenges.

One solution to manage credentials, whether that’s passwords, certificates, crypto keys, secure update keys etc is to use an Identity Access Management (IAM) platform specifically tailored to IoT. Be able to manage these credentials at scale can lockout the initial attack vector of weak default passwords, improve the privacy, authenticity, and security of any device. To help IoT Makers meet the needs of these new regulations – I guess the choice is implement automation or take a chance on getting a fine.

Robert Dobson