With the IoT growing to 22 billion devices by 2025*, the UK Government has published a new code of practice for tackling IoT security and data vulnerability. We look at its key recommendations and their impact.
The internet has become so integral to our lives, it’s almost impossible to imagine a time without it. Even seeing the no signal or no Wi-Fi icon in the top corner of a computer or smart device is enough to give some a mild panic attack.
The world has moved far beyond computers and phones being the only online devices. A whole range of everyday products that play significant roles in people’s lives are now connected to the internet. These smart devices, such as house alarms, doorbells, baby monitors and health trackers, are technically known as Internet of Things or IoT devices.
The increasing proliferation of IoT devices prompted the UK Government to issue a new code of practice on 14 October 2018, aimed at manufacturers, service providers, app developers and retailers. Although the Code is non-binding, it aims to provide practical guidance, with 13 guidelines on security best practice for IoT devices.
We’ve chosen five guidelines from the Code we think are worth highlighting. See the full Code here.
No default passwords (Guideline 1)
The Code specifies each IoT device should have a unique password when manufactured. A factory default setting across the same line of products makes devices too easy a target for security breaches or hacks, especially if consumers don’t realise that they need to change the username and password when setting up the device.
Although the Code does not provide any specific examples, IoT device manufacturers are encouraged to find alternative ways for users to authenticate their devices, to reduce security risks. While not foolproof, IoT devices which require voice, touch or even facial recognition as a mandatory part of the set-up process are currently seen as the most practical alternatives.
Regular software updates (Guideline 3) and outage resilient systems (Guideline 9)
These two guidelines seem to serve a similar purpose.
Consistent software updates for IoT devices, particularly those relating to device security, should be prioritised and provided on a proactive basis and over a secure platform. Equally, while a manufacturer or service provider would never aim to create a product or service that’s vulnerable to outages, the Code is clear that IoT devices should be resilient to data and/or power outages.
Since IoT devices are playing an increasingly important role in users’ lives, the Code suggests that they should maintain a basic level of functionality even during software updates or outages. This is especially important for IoT devices with a security function (such as doorbells or house locks).
Although not covered by the Code in any great detail, this critical functionality during software updates or outages should also extend to all life-impacting IoT devices – more likely to be the heart monitors of tomorrow than the fitness trackers of today.
Protection of personal data and transparency of use (Guideline 8)
Recognising that IoT devices will almost certainly process users’ personal data, the Code highlights that device manufacturers, service providers and app developers must comply with relevant data protection legislation including the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Manufacturers and service providers will need to be clear and transparent about how, for what purpose and by whom user data is being processed. This includes being clear on third party processors such as advertisers and transparent about which devices and services are processing a user’s personal data. As IoT devices generally have a limited life cycle, it’s also critical that users are able to remove their personal data easily from a device, as well as any associated services and applications.
Arguably this guideline packs the biggest punch, as potential fines for non-compliance with GDPR can be €20 million or up to 4% of worldwide group annual turnover, whichever is greater.
Easy installation and maintenance (Guideline 12)
Brands often talk about the user experience of their products and this is no less important for IoT devices. The Code makes the point that ensuring easy installation and maintenance with minimal steps is the best way to avoid a user misconfiguring a device and leaving it vulnerable to cyber security attacks.
Practically speaking, this means spending both time and money on the user interface to make sure the user experience is as smooth as possible, in turn reducing security risks.
The world and everything in it is becoming more connected, or smarter, all the time. New IoT devices are being designed and released with increased frequency and functionality. The Code is not breaking new ground by suggesting that consumer security should be at the heart of all IoT devices. However, with serious legal and reputational risks at stake, it’s clear that paying close attention to the Code would be the smart thing to do.