Security by design backed to combat cyber risk in smart devices

Out-Law News | 07 Mar 2018 | 4:07 pm | 1 min. read

Cybersecurity should be embedded into the way 'smart' consumer devices are made, the UK government has said.

The government has, in collaboration with industry and the National Cyber Security Centre, developed a draft code of practice designed to improve security in consumer 'internet of things' (IoT) products and associated services.

The 13 points listed in the draft code are ordered by priority, topped by a recommendation for each consumer IoT device to have its own unique password that cannot be rest to a "universal factory default value".

"Whilst much work has been done to eliminate reliance on passwords and providing alternative methods of authenticating users and systems, some IoT products are still being brought to market with default usernames and passwords from user interfaces through to network protocols," the government said. "This is not an acceptable practice and it should be discontinued."

Further recommendations contained in the code address issues such as the disclosure of security vulnerabilities, maintenance of up-to-date software, and the secure storage of security credentials.

Consumers should also be able to delete their personal data from devices, according to the draft code.

Different parts of the code are aimed at different stakeholders, including the manufacturers of IoT devices such as smart watches, CCTV cameras and children’s dolls, as well as the app developers that build software for those devices, the businesses that provide related IoT services, and the retailers that sell the finished products.

The draft code, which is open to consultation until 25th April, has been developed as part of a broader review into the cybersecurity of consumer IoT devices and services that the government has undertaken. There are expected to be more than 420 million IoT devices in use across the UK within three years, it said.

Margot James, UK minister for digital, said cyber attacks in recent times, including the so-called 'WannaCry' attack, highlighted the need to ensure that IoT devices are secure and that consumers' privacy is protected when using them.

James called for "a fundamental shift in approach to moving the burden away from consumers having to secure their internet connected devices and instead ensure strong cyber security is built into consumer IoT products and associated services by design".

The government said the new security by design initiative is aimed at supporting its stated ambitions to make the UK "the most secure place in the world to live and do business online", and "the best place in the world to start and grow a digital business".