New IoT security rules: Stop using default passwords and allow software updates

New rules set out best practice for IoT devices, but are the makers going to listen?
Written by Danny Palmer, Senior Writer

Internet of Things (IoT) devices should never be equipped with universal default passwords, and any credentials or personal data within the device must be securely stored, while devices must provide be easy for consumers to configure and delete data from.

The requirements are just some of those featured in a report which sets out suggestions for overhauling the security of the IoT in order to protect consumers and industry from the growing risk of these devices being hacked and attacks carried out using compromised connected devices.

SEE: What is the IoT? Everything you need to know about the Internet of Things right now

It comes after the Mirai botnet attack caused disruption around the globe, while various IoT products ranging from children's toys to industrial control systems have been found to be vulnerable to hackers after being released with cyber security seemingly an afterthought.

In an effort to boost the security of IoT products, a new policy paper by the UK government Department for Culture Media and Sport - written in conjunction with the National Cyber Security Centre - includes guidelines on how manufacturers, industry and government should work together to improve the resilience of connected devices, especially those used by consumers who might not grasp how vulnerabilities can impact on them.

"We are pleased to have worked with DCMS on this vital review, and hope its legacy will be a government 'kitemark' clearly explaining the security promises and effective lifespan of products," said Dr Ian Levy, the NCSC's Technical Director.

"Shoppers should be given high quality information to make choices at the counter. We manage it with fat content of food and this is the start of doing the same for the cyber security of technology products".

However, some in the cyber security industry have warned that the draft proposals are a step in the right direction but don't go far enough.

The 'Secure by Design' policy report advocates moving the burden away from consumers having to secure their internet connected devices and instead ensure strong cyber security is built into consumer IoT products and associated services by design.

See also: What is the IoT? Everything you need to know about the Internet of Things right now

To help industry along, the government has proposed a code of practice for security in IoT products and associated services, with 13 guidelines listed in order of priority from top to bottom with 'No default passwords' detailed as the number one security priority for IoT products.

'All IoT device passwords must be unique and not resettable to any universal factory default value,' said the report.

Some of the other guidelines include how manufacturers must implement a vulnerability disclosure policy by providing a public point of contact for security researchers - and that disclosed vulnerabilities must be acted on 'in a timely manner'.

Other guidelines include how credentials must be securely stored because 'Hardcoded credentials in device software are not acceptable' due to the risk of reverse-engineering and that personal data stored on devices must be protected - especially given upcoming data protection legislation.

"Device manufacturers and IoT service providers must provide consumers with clear and transparent information about how their data is being used, by whom, and for what purposes, for each device and service," said the report.

While the government would prefer "the market to solve this problem" - referring to the industry around the production of IoT devices, it also warns that if this doesn't happen, it will "look to make these guidelines compulsory through law".

See also: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse

The Department for Culture, Media and Sport notes that the Code of Practice is a draft which is "intended to stimulate further dialogue with industry, international partners, academic institutions and civil society".

Industry has cautiously welcomed the paper, but some in the security sector aren't convinced it goes far enough.

"'Security by Design' sounds nice however the truth is business is about being first to market and when it comes to technology, and the sad reality is putting security before functionality and performance never leads to being market-first," said Ralph Echemendia, ethical hacker and CEO of security firm Seguru.

He says user education still needs to be a priority in order to keep consumers safe. "There's no doubt that IoT devices need to secure by design but it's also about educating consumers on how to use these devices safely".

See also: Sensor'd enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)

Others in the security industry are concerned that as long as the guidelines remain as suggestions rather than enforced, that IoT manufacturers will continue to view security as an annoyance, rather than a fundamental part of design.

"If we've learnt anything from countless attacks on smart devices in recent years, it's that manufacturers have been rushing to get the latest devices to market without properly considering the security implications," said Richard Parris, CEO of security firm Intercede

"Given these are voluntary guidelines I'm not optimistic that they will be followed by manufacturers around the world".

ENISA, the European Union's cybersecurity agency, is also working towards legislation around securing the Internet of Things,while the US government is also looking to regulate IoT in an effort to protect against hackers and cyber attacks.

Read More on Cyber Security

Editorial standards