Internet of Things devices: Stick to these security rules or you could face a ban

Proposals from the UK government and the National Cyber Security Centre could see court orders or fines for manufacturers deemed to be ignoring recommendations on keeping IoT devices safe from hacking.
Written by Danny Palmer, Senior Writer

Insecure Internet of Things devices and other connected products could be banned if they fail to meet basic security standards to be used in homes and businesses.

Proposals from the Department for Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have set out three standards that manufacturers will have to follow if their smart devices are to be sold in the UK – and potential punishments if the standards aren't met.

The proposed rules are relatively modest in scope. They would require that device passwords must be unique and not re-settable to any universal factory setting, that manufacturers must provide a public point of contact so anyone can report a vulnerability, and that makers must state the minimum length of time that the device will receive security updates.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

The NCSC is also looking for feedback from product manufacturers on the proposed legislation in order to ensure that they can be helped to make IoT devices as secure as possible.

"People are at risk because fundamental security flaws in their connected devices are often not fixed – and manufacturers need to take this seriously," said Dr Ian Levy, technical director at the NCSC.

"We would encourage all consumer device manufacturers to make their views heard and help us ensure the technology people bring into their homes is as safe and secure as possible."

The government is also seeking suggestions on the sanctions required. For example, one option is that devices that don't meet the security requirements could be temporarily or even permanently banned from being sold in the UK. Products deemed to be insecure could also be issued with recall notices, requiring manufacturers and retailers to organise the return of devices.

It's even possible that manufacturers who are deemed to have sold insecure devices that put consumers and businesses at risk could have the products confiscated and destroyed, and even find themselves issued with a financial penalty.

The aim of the proposals is to help protect UK citizens and businesses from the threats posed by cyber criminals increasingly targeting Internet of Things devices. IoT devices can be a weak point into home and corporate networks, providing cyber criminals with a backdoor into targets, as well as the ability to rope in IoT devices to conduct DDoS attacks.

"Internet of Things products are quickly growing in popularity but most people still do not realise the dangers to personal data from smart products that are insecure," said Graham Wynn, assistant director of the British Retail Consortium.

"We welcome practical proposals from the government based on the three rigorous requirements to ensure that consumers' safety and privacy are protected," he added.

SEE: How poor IoT security is allowing this 12-year-old malware to make a comeback

The proposed rules were previously detailed as potential legislation earlier this year, with the latest announcement moving another step forward to becoming law.

The UK isn't alone in attempting to secure Internet of Things devices – ENISA, the European Union's cybersecurity agency, is also working towards legislation in this area, while the US government is also looking to regulate IoT in an effort to protect against cyberattacks.


Editorial standards