Security cooks up code of conduct to enforce a smidge of security on Internet of S**t kit

No legislation or fines, are you some kind of IdIoT?

By Kat Hall


The makers of connected devices will be expected to build in security measures to prevent cyber threats, under a draft "code of conduct" issued by the UK government today.

The Security by Design review intends to bake security into devices to protect "individuals' online security, privacy, safety" as well as preventing large-scale cyber attacks.

It follows a number high-profile breaches putting people's data and security at risk, including attacks on smart watches, CCTV cameras and both children's and adult toys.

Around 100,000 infected IoT devices under the Mirai Botnet, mostly CCTV cameras, rendered many high-profile sites inaccessible in 2016.

However, how it plans to police the code remains unclear.

The Register has asked the Department for Culture, Media and Sport whether any future financial penalties will be imposed if manufacturers are not compliant with the code, and if it intends to introduce regulation. We have not received a response.

Pen Test Partners' Ken Munro said the plans will change nothing. "Responsible manufacturers are already addressing IT security in devices, so that means this code will apply to fly by night ones that aren't. But because this standard isn't compulsory, there is no legislation, or kite mark. It will have no effect.

"This is such a quick and fast moving sector, the government really needs to grab the bull by the horns. Legislation is what is required, we do it with electrical safety, so why not IoT?"

Digital minister Margot James said the "tough new set of rules" will "ensure we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy."

Ian Levy, technical director at the National Cyber Security Centre, said: "Shoppers should be given high-quality information to make choices at the counter. We manage it with fat content of food and this is the start of doing the same for the cyber security of technology products."

The review is intended to outline practical steps for manufacturers, service providers and developers.

The code states that all passwords on new devices and products are unique and cannot be reset to a factory default; that vulnerability policies and public points of contact be made available so issues can be reported immediately; and that sensitive data transmitted over apps or products is encrypted.

It also says software should be automatically updated; that consumers can delete personal data on devices and products; and that installation and maintenance of devices is easy.

In addition, it proposes developing a product labelling scheme so consumers are aware of a product's security features at the point of purchase.

Munro added that the threat to national infrastructure via botnets was a "concerning threat" but said these measures alone would not be enough to prevent IoT attacks.

However, Raj Samani, chief scientist at McAfee, said the code was "a welcome step on the road to ensuring a standard level of security across these devices".

The government is asking for feedback on the draft proposals until 25 April. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Another banking trojan is trying to loot your cryptocurrency wallets

Trickbot variant adds Coinbase exchange to monitored sites

Cryptocurrency miners go nuclear, RSA blunder, Winner back in court, and plenty more

Roundup The ups and downs of security this week

Scumbags cram Make-A-Wish website with coin-mining malware

Do they accept Monero in Hell?

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency

Underground forums alight with Struts chat, we hear

No way, RSA! Security conference's mobile app embarrassingly insecure

Sorry about the hard-coded passwords, can we sell you some crypto now?

Bitcoin backer sues AT&T for $240m over stolen cryptocurrency

Michael Terpin not happy about funds-draining SIM swap fraud

Cryptocurrency-crafting creeps crept crafty code into Google App Store

Chocolate Factory's anti-malware protections fail yet again

RSA coughs to critical-rated bug in its authentication SDK

Yup, that means if you code with it, your projects inherit the problem. Yay!

And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?