Law prohibits universal default passwords.Bug reporting channel, update plan required
Matthew J. Schwartz (euro infosec) •
April 29, 2024
Purchase Internet of Things devices in the UK with a default or hard-coded password set to “12345” because the UK prohibits manufacturers from shipping internet- and network-connected devices that do not comply with minimum standards. No need to. Cybersecurity standards.
Related item: Webinar | From Risk to Resilience: Reinventing Container Security in EMEA
A grace period for companies to comply with the requirements of the UK's Product Security and Communications Infrastructure Act expires on Monday, with the government set to crack down on security standards for a range of IoT products, including smartphones, gaming consoles, wearable fitness trackers and children's toys. Now you can. This includes internet-connected refrigerators, speakers, baby monitors, and more.
The Connected Devices Act was brought into force following repeated attacks on devices using known or easily guessed passwords, leading to repeated distributed denial-of-service attacks and attacks on major UK banks, including the BBC and Lloyds Bank. impacting institutions. Royal Bank of Scotland.
Officials say the law not only protects consumers, but also provides national cybersecurity protections, including protections against malware that targets IoT devices, such as Mirai and its spinoffs, which can exploit device default passwords. The aim is to improve resilience, he said.
Western officials have also warned that state hacker groups in China and Russia are exploiting known vulnerabilities in consumer network devices. Earlier this year, U.S. authorities disrupted a Chinese botnet used by a group tracked as Bolt Typhoon, and Chinese threat actors used infected small office and home office routers to hide their hacking activities. (see below). Here's how the FBI thwarted China's massive hacking operation).
Kevin Curran, a professor of cyber security at the University of Ulster in Northern Ireland, said: “There is an increasing focus on implementing best practices to protect IoT devices before they leave the factory. That's reassuring,” he said. “Despite their supposed simplicity, these devices have unforeseen power to wreak havoc if left unpatched or poorly managed.”
The law requires:
- There is no common default password: Manufacturers must ship every device with a unique password, regardless of whether users can change the password. The initial password must also meet various criteria to ensure that it is not “easy to guess.”
- Vulnerability reporting channels: Manufacturers must publicly designate a point of contact for anyone wishing to report security flaws in the devices they manufacture and do so in an “accessible, clear and transparent” manner. . Manufacturers must also detail “the period of time that the reporter expects to receive status updates between acknowledgment of the reporter and resolution of the reported security issue.”
- Security updates ensure: Manufacturers must clearly state to consumers the minimum period and end date for which security updates will be provided.
The UK government said in a statement that it is the first country to require minimum cybersecurity standards for IoT devices. “Security requirements are measures that relevant companies in the supply chain must take, or requirements that products must meet, to address security issues or eliminate potential security vulnerabilities.” the report states.
The rules apply to all “related manufacturers, importers and distributors of connected products,” and include record-keeping obligations and obligations to investigate potential non-compliance by supply chain partners.
The rules will be enforced by the Product Safety and Standards Authority, part of the Ministry of Commerce and Industry, which already enforces other product safety regulations.
In the UK, 99% of adults own at least one 'smart' device, with an average of nine different internet or network connected devices in a household.
OPSS chief executive Graham Russell said: “The use and ownership of consumer products that can connect to the internet and networks is rapidly increasing.” “UK consumers should be able to trust that these products are designed and built with security in mind, protecting them from the growing cyber threats to their connected devices.”
Law replaces self-regulation
Security experts have praised the law, particularly because it requires manufacturers to establish channels to receive bug reports, and failure to do so can result in legal action. This is because it involves a threat.
“We like that it has teeth,” Ken Munro, connected device security expert at Penetration Testing Partners, told the BBC.Through social media, he Said The law is a “huge step in the right direction for IoT,” he added, but “what worries me is the lack of enforcement action.” Do not hug stuffed animals that are connected to the internet).
The government previously sought to strengthen device security through a voluntary IoT cybersecurity code of practice introduced in 2018. However, a Congressional study found that by 2020, only 27% of manufacturers had implemented one of the key principles. The idea was to provide security researchers with a direct channel for reporting. Vulnerabilities found in the manufacturer's devices.
Following a 2020 consultation on device security, Congress passed the PSTI Act in 2022, with details including minimum cybersecurity requirements to come into force in 2023 (see below). Consumer IoT security labels: The quest for transparency intensifies).
Experts said they expect more consumers to buy devices based on the support period offered by manufacturers.
Sarah Lyons, deputy director of economic and social affairs at the UK's National Cyber Security Centre, said: “This landmark legislation will help consumers make informed decisions about the security of the products they buy.” Ta.
The law includes a number of exceptions, often because the device is already subject to existing regulations. These include medical devices, smart meters, electric vehicle charging points, as well as desktop, laptop and tablet computers that cannot connect to cellular networks unless they are specifically designed for use by children under 14. . age.
The government also said it plans to introduce legislation that would exempt some cars from the product security regulation regime “as they would be covered by alternative legislation”.
