New UK laws are forcing IoT product manufacturers to adhere to three new security requirements. They are intended to protect us from hacking through connected devices. The big question is – why hasn’t this been done before?
IoT (Internet of Things) devices cover a broad spectrum. This applies to pretty much any device that connects to the internet. There are three categories: consumer, enterprise and industrial.
We’re talking here about everything from wearables, smart TVs and traffic monitors to security systems.
Today, the UK government announced new legislation. This reflects research figures indicating that 75 billion IoT devices will be in homes by 2025.
This legislation is designed to protect consumers from security breaches and hacking. Digital Minister Matt Warman says:
Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.
From my perspective, this is already an afterthought. It isn’t as if connected living is a brand new concept!
We have heard horror stories such as the Ring security camera hacking in Memphis. Researchers are identifying new ways to hack smart homes every day, such as using Light Commands – as we reported nearly three months ago.
I wonder what has prompted this belated action? Perhaps it is a kneejerk reaction to the Californian Senate SB-327 security bill. This demands ‘reasonable security features’ on all IoT devices. The bill took effect from 1st January 2020.
The new rules are these:
- All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
- Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in-store or online
This doesn’t exactly sound groundbreaking (or is it just me?). I can’t believe that it has taken until 2020 to make password security a bare minimum for internet-connected devices?
In fact, it makes me feel less secure. This means that, until now, any connected device may not have even minimal security measures in place. Perhaps that consumer naivety isn’t personal to me – I would have thought these very generic measures would be standard.
As someone who has an Amazon Alexa, uses all the usual entertainment tech you’d expect with a small child and enjoys the convenience of a car which regularly asks me to have it ‘plugged in for updates’ – how safe is my data really?
The third aspect is the requirement for manufacturers. They must commit to a minimum time period for tech to continue to receive security updates.
With the outcry over Sonos, the timing is relevant. Sonos had announced that legacy products would not receive updates from May onwards. The lack of sustainability was a big concern. Sonos had implemented a ‘kill switch’ to render devices useless.
Sonos has made a swift about-turn in the policy. Not only will old devices have a setting that wipes the data, and therefore allows them to be recycled or reused but they will continue to be updated for ‘as long as possible’. Sonos CEO Patrick Spence says:
While legacy Sonos products won’t get new software features, we pledge to keep them updated with bug fixes and security patches for as long as possible.
Ostensibly, this is a reaction to consumer satisfaction however, I can’t help but note that Sonos is based in Santa Barbara, California.
That’s right – the very same place where the new SB-327 bill was passed at the start of the month. So is this consumer recognition; or future-proofing their legislation compliance..?
What do you think about the IoT laws? Do you feel concerned about the security of your existing IoT devices?