UK.gov cooks up code of conduct to enforce a smidge of security on Internet of S**t kit

No legislation or fines, are you some kind of IdIoT?

By Kat Hall

Posted in Security, 7th March 2018 09:02 GMT

The makers of connected devices will be expected to build in security measures to prevent cyber threats, under a draft "code of conduct" issued by the UK government today.

The Security by Design review intends to bake security into devices to protect "individuals' online security, privacy, safety" as well as preventing large-scale cyber attacks.

It follows a number high-profile breaches putting people's data and security at risk, including attacks on smart watches, CCTV cameras and both children's and adult toys.

Around 100,000 infected IoT devices under the Mirai Botnet, mostly CCTV cameras, rendered many high-profile sites inaccessible in 2016.

However, how it plans to police the code remains unclear.

The Register has asked the Department for Culture, Media and Sport whether any future financial penalties will be imposed if manufacturers are not compliant with the code, and if it intends to introduce regulation. We have not received a response.

Pen Test Partners' Ken Munro said the plans will change nothing. "Responsible manufacturers are already addressing IT security in devices, so that means this code will apply to fly by night ones that aren't. But because this standard isn't compulsory, there is no legislation, or kite mark. It will have no effect.

"This is such a quick and fast moving sector, the government really needs to grab the bull by the horns. Legislation is what is required, we do it with electrical safety, so why not IoT?"

Digital minister Margot James said the "tough new set of rules" will "ensure we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy."

Ian Levy, technical director at the National Cyber Security Centre, said: "Shoppers should be given high-quality information to make choices at the counter. We manage it with fat content of food and this is the start of doing the same for the cyber security of technology products."

The review is intended to outline practical steps for manufacturers, service providers and developers.

The code states that all passwords on new devices and products are unique and cannot be reset to a factory default; that vulnerability policies and public points of contact be made available so issues can be reported immediately; and that sensitive data transmitted over apps or products is encrypted.

It also says software should be automatically updated; that consumers can delete personal data on devices and products; and that installation and maintenance of devices is easy.

In addition, it proposes developing a product labelling scheme so consumers are aware of a product's security features at the point of purchase.

Munro added that the threat to national infrastructure via botnets was a "concerning threat" but said these measures alone would not be enough to prevent IoT attacks.

However, Raj Samani, chief scientist at McAfee, said the code was "a welcome step on the road to ensuring a standard level of security across these devices".

The government is asking for feedback on the draft proposals until 25 April. ®

Sign up to our NewsletterGet IT in your inbox daily

34 Comments

More from The Register

Russia to block access to cryptocurrency exchanges' websites – report

Updated Central bank deputy governor calls them 'dubious'

Cryptocurrency miners go nuclear, RSA blunder, Winner back in court, and plenty more

Roundup The ups and downs of security this week

No way, RSA! Security conference's mobile app embarrassingly insecure

Sorry about the hard-coded passwords, can we sell you some crypto now?

Another banking trojan is trying to loot your cryptocurrency wallets

Trickbot variant adds Coinbase exchange to monitored sites

And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

RSA coughs to critical-rated bug in its authentication SDK

Yup, that means if you code with it, your projects inherit the problem. Yay!

Internet Society: Cryptocurrency probably not an identity system

ID on a blockchain? Maybe. ID on Bitcoin? Forget it

UK reaches peak Bitcoin as bin firm accepts cryptocurrency

'It's not a publicity stunt,' says BusinessWaste.co.uk

Paris Hilton inflates cryptocurrency bubble some more, backs Initial Coin Offering

Meanwhile, China says of ICOs: That's hot, we mean, er, banned

To Russia, with love: Greek court now says Bitcoin fraud suspect could be tried at home

US and Moscow both want to extradite Alexander Vinnik, 38, but minister of justice will decide