IoT security crackdown: Stop using default passwords and guarantee updates, tech companies told

Smart device makers will have to keep to these three rules if they want to sell their gadgets.
Written by Steve Ranger, Global News Director

Internet of Things (IoT) device makers will have to do away with default passwords and guarantee that their products will get security updates for a certain amount of time under new rules being considered by the UK government.

Options under consideration by the government include a mandatory new labelling scheme that would tell consumers how secure products such as smart TVs, toys and other IoT appliances really are. Retailers will only be able to sell products with an IoT security label.

IoT devices would have to stick to a set of security rules, such as making passwords unique and not resettable to any universal factory setting. Manufacturers of IoT products would have to provide a public point of contact as part of a vulnerability disclosure policy, and would have to explicitly state the minimum length of time for which the device will receive security updates.

Following a government consultation, the security label will initially be launched as a voluntary scheme to help consumers identify products that have basic security features and those that don't.

SEE: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)

Many consumer products that are connected to the internet are often found to be insecure, putting consumer -- and business -- privacy and security at risk.

In the rush to be the first to release IoT devices, tech companies often fail to ensure that their devices can be properly secured. Devices are often shipped with an easily guessed default password (or no password at all), which can allow hackers to gain access; as consumer IoT devices often come with a video camera or microphone, this can put consumer privacy at risk. Some vendors build devices that cannot be updated when flaws are discovered; others simply do not provide security fixes at all.

The government argues that the rules in its IoT code of practice are the first steps towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.

Ian Levy, technical director at the UK's cybersecurity body, the National Cyber Security Centre, said that serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered. "It's unacceptable that these are not being fixed by manufacturers," he added.

The consultation follows the government's voluntary Secure by Design Code of Practice for consumer IoT security, which was launched last year and has been backed by some IoT device makers, including Centrica Hive, HP Inc, Geo and Panasonic.

Editorial standards