No Teeth in UK Internet of Things Security Report

The UK government released a draft report calling for a “fundamental shift” in the approach to securing Internet of Things devices. One prominent UK security researcher is unimpressed, however, calling the effort toothless.

The government of the United Kingdom is promoting security standards for The Internet of Things, saying that a “fundamental shift” is needed to address the security risks posed by insecure, connected consumer devices. But one prominent security expert said the report lacks teeth to force change.

The UK Department for Digital, Culture, Media & Sport released its Secure by Design report on Wednesday (PDF) calling for joint government and industry action “as a matter of urgency.” It argues for a “fundamental shift” in the burden of securing connected devices from consumers to the manufacturers of those devices.

“There is a need to move away from placing the burden on consumers to securely configure their devices and instead ensure that strong security is built in by design,” the report reads.

The document is the UK government’s strongest effort to date to insert itself into the conversation about the security of connected consumer and industrial devices. The government said it was motivated by concern for the online privacy and security of individuals, and by concern about the threat posed by distributed denial of service (DDoS) attacks in the wider UK economy.

Furby Connect
Furby Connect – just one of many insecure, connected toys sold to the public. The UK government is proposing to shift more responsibility to manufacturers.

“When security flaws of devices in the home are exploited, compromised services can cause significant problems,” the report argues. “A device with a microphone or camera could be used to record individuals within their home, or information about their daily routine could be used without their knowledge, to exploit, harass or

But one noted UK security researcher said the report was more publicity than anything else.

“I think this is a huge missed opportunity to have involvement from government. And what governments do well is regulation and legislation and I think the opportunity’s been missed,” said Ken Munro of the firm Pen Test Partners, which researches the security of embedded devices including connected toys, ships and more.

Munro, who is involved in the IOT Security Foundation, which helped draft the report, blames a “lack of ambition and a lack of understanding” on the part of the UK government, along with an aversion to government regulation of the market.

“They want a relatively light touch with market regulation and hope the market will sort itself out. But I think in this particular case, because of the multi national nature of the supply chain for IoT, regulation was required,” Munro said.

[You might also want to read NIST Floats Internet of Things Security Standards]

The UK report proposes a draft Code of Practice for manufacturers of consumer IoT products and associated services with 13 steps to improve the cyber security of consumer IoT. They range from eliminating default passwords to establishing a vulnerability disclosure program, securely storing sensitive data, allowing remote updating of the device and allowing users to easily delete their data from connected devices.

But Munro said such suggestions are hardly new, and that the UK standard is mostly a condensed version of other, already published standards.  “We have loads of standards. We have GSMA (GSM Association) standards, IAMTheCavalry, the US FDA has published standards,” Munro said. “What we don’t have is enforcement.”

Munro, who investigates security weaknesses in smart, connected products, has been a frequent critic of industry. He notes that marketing language such as toys that are sold as “Internet safe” and secure is meaningless, because there is no independent standard against which consumer can measure such claims.

Munro thinks efforts like a pending bill in the U.S. Senate to set requirements on the government’s purchase of connected products offer probably the best hope in the near term. “The one thing government can control is the government,” he said. Having such a huge consumer of technology set a high standard for security would influence the rest of the industry. The UK government report won’t accomplish that.

“If anything, we have a false perception in the market that its being fixed, and its not,” he said. “It looks as if the government is doing good things, but nothing’s changed.”

Comments are closed.