Deadline for IoT devices to meet new UK security laws strikes

Manufacturers in the UK are now legally required to ramp up cyber security in internet of things (IoT) devices in order to protect businesses and consumers from attack.

The new measures, now made official after the government gave businesses a year’s notice, mean that easily guessable passwords such as ‘admin’ and ‘12345’ are banned from connected devices.

The rules also dictate that manufacturers’ contact details must be accessible for consumers to report bugs and issues, and also to ensure that users are made aware of any important security updates.

Five steps to bolster IoT security

The government claims that the new laws will help prevent events such as the Mirai attack in 2016, which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving a chunk of the East Coast of the US without internet.

Since then, similar attacks have occurred on banks such as Lloyds and RBS, also causing disruption to customers.

According to a recent Which? investigation, a home filled with smart devices could be exposed to more than 12,000 hacking attacks in a single week, with over 2,500 password attempts on just five devices.

“Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import, or distribute provide ongoing protection against cyber-attacks and this act will help consumers to make informed decisions,” commented the National Cyber Security Centre’s (NCSC) deputy director for economy and society, Sarah Lyons.

Cyber security professionals told TechInformed they support the regulations and were pleased to see them go live, emphasising the risk IoT devices hold: “These devices are part of our daily lives, but the fact is that many were designed with ease of use rather than security in mind, which provided an open door for cybercriminals to exploit,” says Sylvain Cortes, VP strategy at cyber security firm Hackuity.

“With the new regulations, consumer IoT devices will now have to have a vulnerability disclosure programme so that weaknesses can be properly dealt with.”

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster university added: “The Internet of Things (IoT) exposes us all to some degree of risk. Despite their perceived simplicity, these devices hold unexpected power to disrupt when left unpatched or poorly managed.”

“The widespread use of default passwords from manufacturers typically led to significant issues, with hackers increasingly exploiting this vulnerability. It’s encouraging to see growing emphasis on implementing best practices in securing IoT devices before they leave the factory.”

Advice for businesses to protect their IoT devices

Curran adds, that on top of stronger passwords, businesses must establish preventative, detective, and corrective controls through a combination of policies, standards, procedures, organisational structures, software technologies, and monitoring mechanisms.

“These measures are crucial for mitigating the risks related to the confidentiality, integrity and availability of information assets within an organisation.”

Plus, Tim Armandpour, CTO of cyber security firm PagerDuty, which deals with incident response says that while the new regulations are a positive, there is a lot of uncertainty around the ‘how, since building in capabilities to support the regulations may seem relatively nascent to the company or product implementing them.

“Organisations must keep privacy, accountability, interoperability and innovation top of mind in order to stay compliant,” Armandpour adds.

“For organisations, driving operational maturity from reactive to preventative is key. Going beyond basic security, businesses must be building the capability to enable IoT system security, reliability and scale by leveraging automation and machine-learning to minimise the cyber related risks and system downtime from any source.”

However, EV Kontsevoy, CEO and co-founder of security infrastructure firm Teleport believes the government must now build a strategy to phase out the use of passwords altogether in favour of cryptographic identity, for instance, with human error a result of 74% of breaches.

For now, though, Konstevoy said that firms need to eliminate accounts into their devices that are either not in use, or one account used by too many people as they are targets for threat actors.

“Have visibility into who has access to what in your infrastructure, and identifying and eliminating these weak access patterns, is critical defence in the face of rising identity attacks,” Konstevoy said.

The laws are coming into force as part of the Product Security and Telecommunications Infrastructure regime, which the UK gov claims is designed to improve the country’s resilience from cyber-attacks.

NCSC’s Sarah Lyons explained: “I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new Product Security and Telecommunications Infrastructure (PSTI) regulation affects them and how smart devices can be used securely.”