In recent years, an increasing number of household items such as speakers, televisions and freezers are becoming “smart” and making using of Internet of Things (“IoT”) solutions. The increase in such products looks set to continue but with such technological advancements come security risks, exemplified by the exploitation of IoT devices by the Mirai botnet. The government has therefore recently launched a consultation on regulatory proposals regarding consumer IoT security.
The consultation is aimed particularly at device manufacturers, IoT service providers, mobile application developers, retailers and those with a direct or indirect interest in the field of consumer IoT security including consumer groups, academics and technical experts.
The government has recognised that a large number of consumer IoT devices are sold without even basic cyber security provisions. As a result these compromised devices can pose a risk for the consumer’s entire network and beyond. The consultation refers to a recent survey in which 72% of consumers interviewed said they expected security to already be built in. The government’s aim is therefore to regulate to restore transparency within the market and ensure that strong cyber security is included in these devices by design, rather than it being left to the consumer to ensure that adequate security measures are in place. Initially this was attempted through the publication of a Code of Practice for IoT Security in October 2018. However, despite this being issued the government is still seeing shortcomings and so is moving to the next stage of consultation on formal regulation.
Whilst the government recognises the need to balance the risk of dampening innovation it has highlighted in the consultation its ambition for the following security measures to be mandatory in the UK, which were identified as the “top three guidelines” within the Code of Practice:
“1. All IoT device passwords shall be unique and shall not be resettable to any universal factory default value;
2. The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues;
3. Manufacturers will explicitly state the minimum length of time for which the product will receive security updates.”
To implement these options the consultation stage impact assessment includes three options:
“Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self declare and implement a security label on their consumer IoT products.
Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with the burden on manufacturers to self declare that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security and the ETSI TS 103 645.
Option C: Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self declare and to ensure that the label is on the appropriate packaging.”
The consultation remains open until 5 June 2019 for responses from interested parties.
We will then have to wait to see what steps are taken to reach the government’s goal of greater consumer security in light of the responses. However, it is almost certain that in the not too distant future some form of regulation will be introduced.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.