11 May 2021
The UK government has announced plans to create new legislation that requires smart devices to meet new requirements to protect businesses from cyberattacks.
A planned new law to address the shortfall in device security will force suppliers to tell users at the point of sale for how long their product will receive security software updates and patches.
The Department for Digital, Culture, Media and Sport (DCMS) said it would now also be putting smartphones in scope of the planned legislation and said research had shown up to a third of users (businesses and consumers) keep their smartphones for at least four years, but many brands only offer security updates for two years.
Recent University College London research found that out of 270 products tested, none displayed this information at point of sale or in any accompanying paperwork.
“Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems,” said digital infrastructure minister Matt Warman.
Brad Ree, chief technology officer of the Internet of Secure Things (IoXT) Alliance, said “we applaud the UK government for taking this critical step” to demand more from IoT device manufacturers and to better protect the businesses that use them.
“Requiring unique passwords, operating a vulnerability disclosure programme, and informing consumers on the length of time products will be supported is a minimum that any manufacturer should provide,” he added. “These are all included in the IoXT compliance programme and have been well received by manufacturers around the world.”
NCSC (National Cyber Security Centre) technical director Ian Levy added that end-users have become “increasingly reliant” on connected products in the workplace. “The Covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough,” he said.
The law, which will be introduced “as soon as parliamentary time allows” builds on a series of steps Westminster has already taken, including the publication of a code of practice for device-makers and the development of an international standard for IoT security, which has been approved by industry association the Cybersecurity Tech Accord.
Rick Jones, chief executive officer and co-founder at DigitalXRAID, said news that the UK government plans to protect the consumer from security breaches and data thefts with new requirements for technology manufacturers comes at a critical time for businesses.
“As many continue to work from home, using personal and un-secured devices to access company servers, network vulnerabilities have expanded dramatically,” he said. “Smart devices in particular have evolved into extremely powerful PCs that can act as touchpoints for internal networks, yet they will have far less security than typical enterprise IT applications.”
Jones added that as the Internet of Things (IoT) grows, smart devices are further integrated within expansive networks, opening up higher vulnerability to hacking and increased difficulty protecting sensitive data. “What’s more, as one of many devices connected to IoT, a personal smart phone may be used to circumvent security, with hackers pivoting into the corporate environment,” he said.
Jamie Brown, director of senior global government affairs at Tenable, said that it was time for manufacturers to be held accountable and not to put the onus on enterprises.
“To date, much of the responsibility for securing IoT products has been forced onto end-users by vendors,” he added. “Subsequently, users are tasked with securing their own devices whilst often being unaware of the risks they are bringing into their offices. The ability to easily report discovered software bugs (vulnerabilities) is another element of this legislation that is to be applauded. This is the easiest way for vendors to be made aware of security issues within products, and take action, before they can be used nefariously.”