Manufacturers of IoT devices should be ready for imminent legislation.
Smartphones, smart fridges, wearable devices and virtual assistants… the flood of IoT devices onto the market has revolutionised how we work and live. It’s also generated serious security and privacy risks, which legislators are looking to address.
What risks does the IoT create?
The Internet of Things (IoT) is the catch-all term for the plethora of objects and devices that connect over the internet to interact or ‘talk’ with each other. In recent years the law has struggled to keep up with the increasing risks that the IoT now poses for individuals, businesses, and the worldwide community.
IoT devices have enabled new routes for attack by cyber criminals, with consequences such as hacking, and stealing personal data such as bank details, that did not exist when current legislation was created.
How are they being tackled?
In March 2018, the UK government produced a report into IoT security, and later that year issued a Code of Practice (the UK Code) for IoT manufacturers to follow.
Although the Code is voluntary, big names such as HP and Centrica have already signed up to commit themselves to it. In February 2019, the European Telecommunications Standards Institute (ETSI) released its own global standard, featuring the same 13 areas identified in the Code, albeit in more detail.
The EU is also set to pass a new Cybersecurity Act this year, which should have a powerful impact on companies operating in the IoT sphere. The Act is expected to include a voluntary certification scheme, which manufacturers of IoT devices should be looking to follow.
13 key areas to comply with
Manufacturers should anticipate forthcoming legislation by ensuring they comply with the requirements of the UK Code, which includes these 13 key measures:
- No default passwords – this includes when devices are factory reset.
- Implement a vulnerability disclosure policy – including a public point of contact for security researchers to report issues.
- Keep software updated – updates should be timely, easy to implement, and not impact the functioning of the device. There should be an end-of-life policy, which clearly states when updates will cease.
- Securely store credentials and security-sensitive data – hard coded or plaintext storage of credentials is not acceptable.
- Communicate securely – functions such as remote control should be encrypted in transit.
- Minimise exposed attack surfaces – operate on the ‘principle of least privilege’ by closing access to unused ports and managing account privileges.
- Ensure software integrity – devices should have secure boot mechanisms to detect when they have been tampered with and cease connections to wider networks.
- Ensure personal data is protected – by applying the rules of the GDPR.
- Make systems resilient to changes – devices should keep functioning as far as reasonably possible in the event of network outages.
- Monitor system telemetry data – look for security anomalies.
- Make it easy for consumers to delete personal data – account for changes of ownership and second-hand sale of IoT devices.
- Make it easy to install and maintain devices – it should not be difficult for users to configure their devices securely.
- Validate input data – be resistant to ‘man-in-the-middle’ attacks and transmission of data from IoT devices that is not expected.
Time to take action
Whilst these are currently codes of best practice, they will soon be followed by legislation that’s likely to be rigorously applied. For manufacturers of IoT devices, ensuring compliance now could help costly punishment later.
For more advice about how the impact on your business of the UK Code of Practice, the ETSI standard and forthcoming EU Cybersecurity act, please talk to our privacy and data protection team.
The 101: Internet of Things series will provide insight into the key considerations on topical issues relating to IoT. Next time – we give an update on the Cybersecurity Act and developments in the IoT space.