Cybersecurity and the Internet of Things

- Posted in general by - Permalink

Yes, I know that, with everything going on in the world, this is hardly a top priority right now. But a report on The Register caught my eye this week, and reminded me I had intended to write about this. So here we go.

There has been talk for a while about security problems with IoT devices, and what needs to be done to mitigate those.

The government has issued a code of practice and, frankly, it's all really rather sensible.

It is — dare I say it? — a pretty good summary of the kind of things you would hope all manufacturers of IoT devices are already doing.

Is the code of practice a law?

No.

The government consulted on regulation to secure consumer IoT in May 2019, drawing on the code of practice, and it issued its response in January 2020.

While it talks about regulation, and the government has said that it is:

[c]ommitting to taking forward new legislation to mandate core aspects

of the code of practice, I have not seen any draft legislation. As far as I can tell, it's "principles only" at this stage.

(And, if I'm wrong, and there is draft legislation which I've missed or forgotten, I'll update this.)

What types of device are in scope?

I don't find this clear.

The Code of Practice says that it applies to:

consumer IoT products that are connected to the internet and/or home network and associated services

There is an (expressly non-exhaustive) list of examples, including:

  • connected children’s toys and baby monitors
  • Connected safety-relevant products such as smoke detectors and door locks
  • Smart cameras, TVs and speakers

I think that this means that network infrastructure — such as routers, wireless access points, and powerline devices — and mobile phones (some of which receive software updates for far longer, and with far greater regularity, than others) are out of scope, even if aimed at the consumer market.

(There are existing rules governing security of networks and services, as well as sector-specific privacy obligations, but these do not bite on companies which manufacture networking equipment but do not operate networks or services.)

What obligations are in scope?

The code of practice contains a number of different obligations (and, in my view, they are all pretty sensible) but not all of them look set to make their way into the first phase of legislation.

Instead, it looks as if just three principles will make the initial cut:

  1. IoT device passwords must be unique and not resettable to any universal factory setting.
  2. Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
  3. Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.

Kitemarking — putting labels on products so that consumers can tell at a glance what is happening — appears to be on the backburner for now.

How these are implemented in law will be interesting.

I've griped before that a legal requirement that a password must be "unique" is going to be a fun one. I am guessing that a UUID-type solution would fit the bill (although hardly user-friendly, if they have to type it in anywhere), and I suspect that this is what was meant by "unique" even if it's not necessarily what "unique" would mean legally. This is the kind of issue which makes me keen to see actual draft legislation.

Who is in scope?

The government outlined four groups of actor in its consultation document:

  • Device Manufacturers – The entity that creates an assembled final internet-connected product. A final product may contain the products of many other different manufacturers.
  • IoT Service Providers – Companies that provide services such as networks, cloud storage and data transfer which are packaged as part of IoT solutions. Internet-connected devices may be offered as part of the service.
  • Mobile Application Developers – Entities that develop and provide applications which run on mobile devices. These are often offered as a way of interacting with devices as part of an IoT solution.
  • Retailers – The sellers of internet-connected products and associated services to consumers.

We will need to see on whom the initial set of three obligations are placed. The Device Manufacturers will, ultimately, need to ensure that they, or their supply chain, implements the requirements, but, without obligations on Retailers, they are unlikely to be effective.

Will it just lead to another set of contractual requirements imposed upstream from retailers? We'll just have to wait and see.

Also unclear is whether this can have any impact on the floods of cheap devices available on the likes of Aliexpress. I doubt it. But, perhaps, if you choose to buy from there rather than a "high street retailer" or its digital equivalent, caveat emptor remains appropriate?