Government Guidelines Aim To Secure Smart Devices

The government has issued draft guidelines aimed at making internet-connected devices more secure, following a string of high-profile hacking incidents.

The voluntary code of practice draft follows a comprehensive review that included the participation of manufacturers, retailers and the National Cyber Security Centre (NCSC).

It requires manufacturers to ensure the administrator passwords found in devices are unique and can’t be reset to a uniform factory default and that communications from devices is encrypted.

Other advice from the Security By Design review includes that manufacturers have a point of contact for security researchers, provide automatic software update and make it easy for consumers to delete personal data and carry out installation and maintenance tasks.

‘Smart’ devices set to soar

The government estimates every British household contains at least 10 internet-connected devices, with the figure set to rise to 15 by 2020.

Most of those devices are considered easy to hack. In 2016 malware called Mirai created a botnet of around 100,000 devices, mostly webcams, and used it to take a number of high-profile websites offline. The malware hacked devices by searching for those that used default passwords.

TV set-top boxes, smart watches and children’s toys have also been targeted.

The review outlines “practical steps” for manufacturers, service providers and developers, the government said, adding the code would improve cyber-security while continuing to encourage innovation.

Margot James, minister for digital and the creative industries, said the government wants everyone to benefit from the “huge potential” of internet-connected devices.

But it’s important such devices are “safe” and make a “positive impact”, she said.

“We have worked alongside industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed,” James said.

Security ‘kitemark’

NCSC technical director Dr Ian Levy said the centre aims to “stop people being expected to make impossible safety judgements with no useful information”.

He said the NCSC hopes the review leads to a government-certified label indicating devices’ security arrangements and their effective lifespan.

Which? welcomed the scheme as a first step, while McAfee chief scientist Raj Samani said the code of practice was a move toward “ensuring a standard level of security across these devices”.

But Pen Test Partners’ Ken Munro said the scheme could not make an impact as long as it remained voluntary.

“Responsible manufacturers are already addressing IT security in devices, so that means this code will apply to fly-by-night ones that aren’t,” he said. “But because this standard isn’t compulsory, (and) there is no legislation or kitemark, it will have no effect.”

He said the government needs to update consumer protection laws to address Internet of Things (IoT) security issues.

“We do it with electrical safety, so why not IoT?” he said.

The government is seeking feedback on the proposal until 25 April.

Do you know all about the Internet of Things? Take our quiz.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago