GCHQ asks tech firms to pretty please make IoT devices secure

Hive, HP Inc sign up to refreshed code of practice

GCHQ has managed to convince HP Inc and Centrica Hive to take its side in a relatively rare public intervention on the state of consumer IoT security.

A voluntary code of practice, to which the two companies have signed up, urges them to implement published standards and recommendations on how to bake security into IoT devices.

GCHQ’s Code of Practice for Consumer IoT Security (accessible here) contains broad-brush recommendations such as “implement a vulnerability disclosure policy” and “minimise exposed attack surfaces”.

Its National Cyber Security Centre arm, which the governmental agency likes to use to promote activities as being for the public good, said: “This Code of Practice is not a silver bullet for solving all security challenges. Only by shifting to a security mindset and investing in a secure development lifecycle can an organisation succeed at creating secure IoT.”

In a background briefing, The Register was told that GCHQ sees itself as leading from the front on consumer IoT security, at least within the traditional Anglosphere nations of America, Canada, Australia and New Zealand. Not content with the Five Eyes, however, we understand that GCHQ has translated the code into different languages, including those with non-Roman alphabets, in the hope of encouraging wider global adoption along the lines of "We've done the hard work for you, let's all benefit from this."

We understand the most recent version of the code of practice builds on an earlier version first issued in March.

The code of practice sets out 13 principles for manufacturers to mull when they design products, such as secure storage of personal data and regular software updates.

One might think these were stating the bleedin’ obvious, but the wealth of dodgy toys – both children’s and adult – and devices on the market proves this is not the case.

Just this month, Pen Test Partners criticised consumer group Which? for naming the Samsung SmartCam a "best buy", despite takeover vulnerabilities having been reported as far back as 2014.

Among the other guidelines set out in the code are calls for makers not to set default passwords, to make it easy for people to delete their personal data off the device and to simplify secure installation and maintenance of the devices.

Companies are also encouraged to monitor system telemetry data, make systems resilient to outages and implement a vulnerability disclosure policy.

GCHQ hopes that by getting large industry players on side, consumers will have less to worry about in future. However, the agency was a bit sketchy when asked whether similar ventures are under way for industrial IoT – a curious omission given the huge level of marketing hype around the so-called Industry 4.0, in which the vision is that traditionally profitable manufacturing industries will give their profits to a tech sector desperately scrabbling to find the Next Big Thing and hoping that industrial sensors might be the jackpot.

We also understand that in the future GCHQ hopes retailers will train stock purchasing staff to understand when certain IoT devices might be a big risk for consumers and therefore refuse to stock them, something which looks naive on the face of it.

Nonetheless, the code of practice is a step in the right direction for those manufacturers willing to abide by it. Whether the bargain basement factories in the Far East knocking out cheap ‘n’ cheerful kit for pennies will pay any attention is another question altogether.

GCHQ, along with the Department for Culture, Media and Sport, has put together a website setting out how global IoT recommendations have been mapped to its code of practice at iotsecuritymapping.uk. ®




Biting the hand that feeds IT © 1998–2018