The UK is planning to mandate a minimum of three security standards for consumer Internet of Things (IoT) devices, it confirmed today, after consultations that began in May 2019. But a closer look at its consultation paper suggests huge holes in the new policy with little obvious fixes.
The three standards include a demand on original equipment manufacturers that all device passwords are unique and not resettable to factory settings; that companies provide a clear vulnerability disclosure contact, and that OEMs “explicitly state” for how long their IoT products will get security updates.
All are welcome moves, which follow a non-binding Code of Practice for IoT Security published on 14 October 2018. The decision was applauded by many security commentators as “a very positive step”. (The standards would, in theory, help mitigate against poorly secured IoT devices being used to invade privacy, steal data, or be co-opted into botnets used for DDoS attacks.)
But Who Enforces It?
Yet a closer look at the proposal shows who is in charge of enforcement remains an open question, and product labelling has been ruled out, suggesting market impact is likely to be limited at this point.
When asked who should enforce the new IoT security regulations, most respondents to the Department for Digital, Culture, Media & Sport (DCMS)’s consultation suggested consumer watchdog Trading Standards.
The proposal was met with scepticism by HMG, which suggested that the organisation was under-resourced and it had little appetite to resource it further: “We are mindful of placing more responsibility on existing UK agencies at a time when resources are prioritised on existing consumer protection priorities” the DCMS said today, somewhat startlingly.
It added: “We have been working to better understand how this regulation could be effectively enforced through existing UK agencies and will continue to do so in the coming months.”
What about consumers: how will they know if devices have met these standards?
The products certainly won’t be labelled by manufacturers, with the government today explicitly ruling out enforcing such an approach.
“We have taken on board the concerns of those who feel there are issues associated with a specific label being mandated to be placed on products. We recognise the complexity of supply chain management and potential disruption to business as a result of affixing a label to physical products”, the DCMS said sympathetically.
Officials added: “Feedback questioned whether manufacturers would be willing to place a negative label on their products and the difficulty for retailers to take necessary steps to validate the manufacturer’s claims in a voluntary scenario. As such, we will not proceed with launching the voluntary labelling scheme at this time and will undertake further policy development based on the feedback”.
So, no clear enforcement strategy yet and no labelling scheme. How will consumers know what’s secure?
Perhaps, the government suggests, the onus could fall on retailers, rather than vendors themselves?
IoT Security Regulations: “Further Work Needed…”
“The Government will… undertake further work to determine the most appropriate way to communicate security information” HMG said.
“This will involve examining an alternative option to the labelling scheme whereby retailers would be responsible for providing information to the consumer at the point of sale (both online and in stores). This is because we want to ensure that those who manufacture, develop and stock IoT devices are clear and transparent with those that purchase them, sharing important information about the cyber security of these devices.”
Ilkka Turunen, Global Director of Solutions Architecture of software security specialists Sonatype was among the sceptics.
He told Computer Business Review: “There are major oversights [this legislation] doesn’t address:”When 1 in 10 software components downloaded by UK developers contains a known security vulnerability, increasing the occurrence of supply chain infiltration attacks, it’s not enough to just offer a point of contact to whom vulnerabilities are disclosed… Manufacturers must ensure these components aren’t in their products to begin with.
“As 90 percent of all applications deployed in IoT devices contain third party code from Open Source, it is important to set rules on maintaining the integrity of those pieces of code. The 90-day limit proposed in the legislation to act on reported issues is too long. Modern attacks often occur within a few days of issues being reported. Manufacturers, businesses and governments need to work together to find a way of certifying the software supply chain – like a list of ingredients used to build the product.”
He added: “No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, so why should the software components in connected devices be any different?
“Instead, manufacturers should be able to certify that their software, and their devices, are secure at the time of shipping, and should ensure their security updates last for the mandated time.”