Gov Calls for Internet Security to Last the Lifetime of a Product

The UK Government has today published a new policy paper that seeks to improve the security of internet connected devices in our homes (e.g. TVs, toys, smart speakers) by, among other things, calling for “tough new security measures that last the lifetime of the product.” Good luck with that.

The ‘Secure by Design‘ review estimates that every household in the United Kingdom owns at least 10 internet connected devices, which will usually be connected via your home broadband ISP via a wireless (WiFi) router, and this is expected to increase to 15 devices by 2020 (i.e. there may be more than 420 million in use across the country within three years).

However over the past few years many people have found out, often to their peril, that a lot of these devices tend to lack effective security safeguards. The result of such lax security can leave your home network exposed to abuse by hackers or the device may end up being hijacked for use in a malicious botnet (e.g. supporting DDoS attacks).

The threat has already been well illustrated on numerous occasions, such as in 2016 when a number of broadband ISPs (KCOM, Post Office, TalkTalk etc.) found that their routers had been hijacked by malicious software (here and here). The same Mirai worm also infected various other internet connected devices, such as IP cameras.

Margot James, UK Minister for Digital, said:

“We want everyone to benefit from the huge potential of internet-connected devices and it is important they are safe and have a positive impact on people’s lives. We have worked alongside industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed.

This will help ensure that we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy.”

Mark Hughes, CEO of BT Security, added:

“BT shares the Government’s ambition to make the UK the safest place to work and do business online. We are proud to have played a key advisory role in the development of the draft Code of Practice, having shared our technical insight with the Government in our capacity as a global network operator, UK broadband provider and as a global provider of cyber security and IoT services.

From the development of the world’s first Cleanfeed filter to block child abuse images, free parental controls for broadband products and devices, to warning or blocking our customers from known malware and phishing sites, BT has been at the forefront of keeping consumers and families safe online for many years.

BT is actively involved in driving standards, interoperability and security across the IoT market and will continue to provide guidance to the Government and industry around best practice for securing internet connected devices.”

Suffice to say that the Government wants to tackle the problem by encouraging a new industry Code of Conduct to improve the cyber security of consumer internet-connected devices and associated services, which is based around 13 requirements (listed in order of importance). The Government said the top three points “should be addressed as a matter of priority.”

13 Points in the Code of Practice

1) No default passwords
All IoT device passwords must be unique and not resettable to any universal factory default value.

2) Implement a vulnerability disclosure policy
All companies that provide internet-connected devices and services must provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.

3) Keep software updated
All software components in internet-connected devices should be securely updateable. Updates must be timely and not impact on the functioning of the device. An end-of-life policy must be published for end-point devices which explicitly states the minimum length of time for which a device will receive software updates and the reasons why. The need for each update should be made clear to consumers and an update should be easy to implement. For constrained devices that cannot physically be updated, the product should be isolatable and replaceable.

4) Securely store credentials and security-sensitive data
Any credentials must be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.

5) Communicate securely
Security-sensitive data, including any remote management and control, should be encrypted when transiting the internet, appropriate to the properties of the technology and usage. All keys should be managed securely.

6) Minimise exposed attack surfaces
All devices and services should operate on the “principle of least privilege”; unused ports must be closed, hardware should not unnecessarily expose access, services should not be available if they are not used and code should be minimised to the functionality necessary for the service to operate. Software should run with appropriate privileges, taking account of both security and functionality.

7) Ensure software integrity
Software on IoT devices must be verified using secure boot mechanisms. If an unauthorised change is detected, the device should alert the consumer/administrator to an issue and should not connect to wider networks than those necessary to perform the alerting function.

8) Ensure that personal data is protected
Where devices and/or services process personal data, they should do so in accordance with data protection law. Device manufacturers and IoT service providers must provide consumers with clear and transparent information about how their data is being used, by whom, and for what purposes, for each device and service. This also applies to any third parties that may be involved (including advertisers). Where personal data is processed on the basis of consumers’ consent, this must be validly and lawfully obtained, with those consumers being given the opportunity to withdraw it at any time. Consumers should also be provided with guidance on how to securely set up their device, as well as how they may eventually securely dispose of it.

9) Make systems resilient to outages
Resilience must be built in to IoT services where required by the usage or other relying systems, such that the IoT services remain operating and functional.

10) Monitor system telemetry data
If collected, all telemetry such as usage and measurement data from IoT devices and services should be monitored for security anomalies within it.

11) Make it easy for consumers to delete personal data
Devices and services should be configured such that personal data can easily be removed when there is a transfer of ownership, when the consumer wishes to delete it and/or when the consumer wishes to dispose of the device. Consumers should be given clear instructions on how to delete their personal data.

12) Make installation and maintenance of devices easy
Installation and maintenance of IoT devices should employ minimal steps and should follow security best practice on usability.

13) Validate input data
Data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices must be validated.

Mercifully point no.3 is a lot more realistic than the opening spin of the government’s press release, which called for “security measures that last the lifetime of the product.” The changing pace of technology, which has become increasingly consumable, means that many bits of tech made today won’t last more than a few years and even if it does then the producer is unlikely to keep updating it until the device physically stops working.

Standards change so quickly in this market and software evolves, which means that the chipsets inside older hardware will almost inevitably hit a wall for future updates at some point. In that sense it’s good to see that the code itself is much more logical and grounded than the initial political expectations suggest.

Nevertheless we suspect that some manufacturers will simply set a short “lifetime” figure to avoid the problem of having to keep their kit updated for many years. Sadly many third-party router manufacturers have become notorious for only supporting their hardware for a year or two after release, which is a huge concern when you consider the importance of your router in the home network environment.

We strongly support these proposals and it’s also good to see the call for an end to devices that ship with a universal default password. We should point out that most broadband ISPs now ship routers with a dynamically generated password that’s different for every device.

However there is a question mark over the effectiveness of a code like this, which appears to be more educational than enforceable in its structure. Perhaps what we need is a new testing regime to help certify that new internet connected devices are able to support such security standards before they hit the shops, although this may be difficult given the complex global trading environment.

The Government said they will be conducting more work in 2018 to further develop these recommendations. This will involve considering how following the Data Protection Bill, the Government can further embed guidelines in the Code of Practice within regulations.