Philip Ingram MBE discusses the Internet of Things and the role legislation can play in ensuring that security standards are met.
The Internet of Things (IoT) revolution has almost infinite capacity to enrich our lives and add value; virtually everything we see today can be connected to the web. The ‘Internet of Things’ was only coined as a concept in 1999, but the issue of security has been its Achilles heel from the very beginning.
What can be considered the ‘Internet of Threats’ has been used to promulgate and execute several large attacks over the years. A BotNet of around 145,000 IoT devices (mainly webcams and DVRs) compromised by Mirai malware attacked the KrebsOnSecurity website of security researcher Brian Krebs in September 2016. The Mirai BotNet was infamous for launching a vast attack on US and European internet infrastructure, bringing sites down including Twitter, Paypal and Spotify.
A recent Juniper Research report said that the number of IoT devices in 2021 was 46 billion and Statista has claimed that the “average number of connected devices per household in the US in 2020 was 10”; this is similar to the estimated average of nine devices per household in the UK.
By 2030, Martech Advisor says the number of devices “is expected to jump to 125 billion.” It also states that: “Google Home is expected to have the largest market share with a 48% market share, with Amazon second at 37% and Statista estimated the value of the IoT connected devices market to be worth a massive $520 billion.
With the rapid development of IoT devices, security is often a secondary consideration over utility and price, but considering the number of connected devices in 2022 was more than two times the size of the world population and the fact that almost all IoT machines have some security issues – there is a growing problem.
Criminal hacking groups, script kiddies and nation state backed advanced persistent threat groups (APTs) are all exploiting the vulnerabilities these often-unsecured endpoints give when they are connected to a network. According to consumer website Which?, “More than seven millions UK households could be vulnerable to hackers.” The concerns arise from households using old broadband routers which have security flaws.
Which? said “its testing of a number of old router models used by internet service providers found two-thirds contained a security flaw that could allow hackers access to the network.” This was at a time when home working was becoming the mandated norm. The UK’s National Cyber Security Centre (NCSC) also revealed that it had dealt with an unprecedented number of cyber incidents over the past year and in the first half of 2021, there were 1.5 billion attempted compromises of Internet of Things (IoT) devices.
That threat potential has not gone unnoticed by the government and at the end of November 2021 a new cyber law to protect people’s personal tech from hackers was introduced. The announcement from the Department for Digital, Culture, Media and Sport said: “Consumers will be better protected from attacks by hackers on their phones, tablets, smart TVs, fitness trackers and other internet-connectable devices thanks to a new world-leading law.”
It includes: “A bill to better protect people’s smartphones, TVs, speakers, toys and other digital devices from hackers and will prevent the sale of consumer connectable products in the UK that do not meet baseline security requirements.”
Government research prior to the introduction of the bill shows that four in five manufacturers of connectable products do not implement appropriate security measures. The penalties are severe and include “plans for fines up to £10 million or up to 4% of global revenue for firms failing to comply.”
A new law will require manufacturers, importers and distributors of digital tech which connects to the internet, or other products, to make sure they meet tough new cybersecurity standards – with heavy fines for those who fail to comply.
The Product Security and Telecommunications Infrastructure Bill (PSTI) will allow “the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products and create a better public reporting system for vulnerabilities found in those products.”
Minister for Media, Data and Digital Infrastructure, Julia Lopez, said: “Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.
“The ownership and use of connected tech products has increased dramatically in recent years. On average there are nine in every UK household, with forecasts suggesting there could be up to 50 billion worldwide by 2030. People overwhelmingly assume these products are secure, but only one in five manufacturers have appropriate security measures in place for their connectable products.”
The new laws will apply not only to manufacturers, but also to other businesses including both physical shops and online retailers which enable the sale of millions of cheap tech imports into the UK.
Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass important information about security updates on to customers. In discussions at The Security Event 2022 at the NEC in Birmingham, security installers and integrators generally welcomed the new bill and the mandates contained within it, recognising that set and enforced, improved standards could only be a good thing.
NCSC Technical Director, Dr Ian Levy, stated: “The requirements this bill introduces, which were developed jointly by DCMS and the NCSC with industry consultation, mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.”
This article was originally published in the May edition of Security Journal UK. To read your FREE digital edition, click here.