Mandatory IoT Security in the Offing with U.K. Proposal

uk iot device law regulation

The new U.K. law mandates that manufacturers apply several security controls to their connected devices.

The U.K. government has unveiled a proposed law aimed at securing internet of things (IoT) devices, which have historically been riddled with basic security issues.

The drafted law, announced on Monday, comprises three main mandates for IoT manufacturers. First, all consumer IoT device passwords must be unique (and not resettable to universal factory settings). IoT device manufacturers must also provide a public point of contact so that anyone can report a flaw, to be “acted on in a timely manner;” and, manufacturers must also explicitly state the minimum length of time for which devices will receive security updates at the point of sale.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” Matt Warman, U.K. Minister for Digital and Broadband, said in a statement. “It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”

The regulation was developed by the Department for Digital, Culture, Media and Sport after an extensive consultation period that kicked off in May 2019, when the U.K. announced it was accepting regulatory proposals for IoT security regulation.

The U.K. government said that it aims to “deliver the legislation as soon as possible.”

Security experts like Ken Munro, partner at Pen Test Partners, applauded the proposed law: “There is clearly broad support for the proposed regulation of consumer smart devices, however without swift legislation this is just another meaningless consultation,” Munro told Threatpost. “The government needs to act now to help protect us from smart device manufacturers who play fast and loose with our privacy, safety and security. I’m supportive of the government’s proposed legislation, so long as it is the first step on a path towards wide-ranging, robust regulation of the internet of things.”

The U.K. previously only had a voluntary “Secure by Design Code of Practice” for consumer IoT security, launched in 2018; however, this was a guidance and had no penalties for manufacturers who did not comply.

However, several more solidified attempts at IoT security regulation do exist globally.

The closest of these to become law in the U.S. is the California Senate Bill 327 (SB-327), which would require “reasonable security feature or features that are appropriate to the nature and function of the device.” SB-327, which was first proposed in 2018 and became law in January 2020, drew backlash from the security community, which said that it was a good first step but did not go far enough in regulating IoT security.

Researchers continue to find basic security issues in IoT devices that are on the market – from factory-set default passwords to disturbing privacy issues.

Over the past years, vulnerabilities in an array of devices have made headlines: including the popular smartwatch TicTocTrack, which was discovered to be plagued by security issues that could allow hackers to track and call children; vulnerabilities uncovered in a popular smart deadbolt that could allow attackers to remotely unlock doors and break into homes; and flaws in more than 2 million IP security cameras, baby monitors and smart doorbells that could enable an attacker to hijack the devices and spy on their owners.

Suggested articles