Smart device security guidelines ‘need more teeth’

The UK government has announced guidelines to make internet-connected devices safer to use following a spate of security breaches.

It includes moves to make sure passwords are unique and not resettable to a factory default and that sensitive data transmitted via apps is encrypted. But the guidelines are not binding, leading some to question how effective they will be. One expert said they would not stop “irresponsible” manufacturers. As well as the stricter guidance on passwords and recommended encryption, the government’s Security by Design review suggested:

  • Device manufacturers have a point of contact so that security researchers can report issues immediately
  • Software should be updated automatically with clear guidance for customers
  • It should be easy for consumers to delete personal data
  • Installation and maintenance should be easy for consumers

The government estimates that every household in the UK owns at least 10 internet-connected devices – a figure that is expected to rise to 15 by 2020. In Germany there is a ban on the sale of smartwatches aimed at children, and the internet-connected doll My Friend Cayla over fears that both could act as spying devices.

Fast and loose

Ken Munro, an analyst at security firm Pen Test Partners, said of the review: “It’s a good start but misses too much to be of great use.” He said: “Responsible IoT (internet of things) manufacturers are already addressing security. It’s the irresponsible manufacturers who aren’t interested, don’t care about our security or who refuse security on grounds of cost that we need to worry about. “Without ‘teeth’, this standard is meaningless. Manufacturers who already play fast and loose with our security to make a quick buck from us won’t change anything.” Mr Munro also revealed that the measures suggested would not have prevented many of the recently reported security breaches of smart devices, such as the Mirai botnet that used internet-connected devices – such as CCTV cameras and printers – to attack popular websites. Margot James, minister for digital and the creative industries, said: “We want everyone to benefit from the huge potential of internet-connected devices, and it is important they are safe and have a positive impact on people’s lives.

We have worked alongside industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed.

Dr Ian Levy, from the National Cyber Security Centre, which worked on the review, said he hoped the guidelines would act as a “kitemark” for such goods.