IoT security: Follow these rules to protect your users from hackers, gadget makers told

New guidelines for IoT makers have been published. But will device manufacturers pay attention?
Written by Danny Palmer, Senior Writer

A government-backed scheme aims to tackle the issue of poor security in the Internet of Things (IoT) by encouraging manufacturers to produce connected devices that are secure by design and easy to update.

The Secure by Design code of practice for the IoT has been launched by the Department for Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) and is based on advice from from industry, security experts, academia, and consumer organisations.

Guidelines include telling hardware makers to eliminate universal default usernames and passwords for IoT devices, in order to ensure that products aren't sold with basic login credentials that can easily be breached by attackers. Poor password security has been the cause of a number of IoT-related security breaches.

Other recommendations to IoT product manufacturers are that they should implement a vulnerability disclosure policy, so that any security holes can be reported, and acted upon and that security software updates must be regularly provided. Patches should be easy to apply in a manner that won't impact on the function of the device.

IoT devices should also be built in such a way that it's simple for consumers to install and maintain the devices without a risk to their security, and the guidelines said that any data stored on the device should be securely stored -- with an easy means of consumers deleting their data if they choose to do so.

In total, the Secure by Design code of practice has 13 recommendations for manufacturers of consumer IoT devices to implement to keep users safe -- and GDPR-compliant.

SEE: History repeating: How the IoT is failing to learn the security lessons of the past

It's hoped that retailers will also take note of the code and only stock devices that follow its recommendations.

"With the amount of connected devices we all use expanding, this world-leading Code of Practice couldn't come at a more important time," said Dr Ian Levy, technical director at the NCSC.

"The NCSC is committed to empowering consumers to make informed decisions about security whether they're buying a smart watch, kettle or doll. We want retailers to only stock internet-connected devices that meet these principles, so that UK consumers can trust that the technology they bring into their homes will be properly supported throughout its lifetime," he added.

Currently, two technology manufacturers have publicly pledged to follow the voluntary code of practice -- Centrica Hive and HP. But that's just two in a vast sea of IoT product manufacturers -- many of which could just choose to ignore the recommendations.

"While it's certainly a step in the right direction that the UK government has issued a new code of practice to help manufacturers improve the security of internet-connected devices, it's unlikely that the industry will act upon it, given that it is voluntary," said John Sheehy, VP of strategy at cyber security firm IOActive.

"Unfortunately, many manufacturers of these devices are more concerned with getting a minimally viable product to market than whether or not it is secure. As a result, many IoT devices expose their owners to significant risks," he added.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

While organisations could choose to ignore the guidelines, there's a strong insinuation throughout the documents that if they opt not to apply Secure by Design from the ground up, IoT product makers are just putting themselves -- and their users -- at risk from hackers.

The government has previously suggested it could "look to make these guidelines compulsory through law" if manufacturers don't take up the guidelines.

The UK isn't alone in attempting to secure the Internet of Things -- ENISA, the European Union's cybersecurity agency, is also working towards legislation in this area, while the US government is also looking to regulate IoT in an effort to protect against cyber attacks.

The code of practice could play a role in shaping an international effort to improve IoT security. The UK is already working towards taking the code of practice and helping to build an international standard that can be recognised and accredited around the world.

In order to help this along, the code of practice has also been published in French, German, Japanese, Korean, Mandarin, Portuguese, and Spanish.


Editorial standards