Is the UK government’s new IoT cybersecurity bill fit for purpose?

Security experts find flaws with how the UK plans to secure IoT devices.

Internet of Things (IoT) devices — essentially, electronics like fitness trackers and smart lightbulbs that connect to the internet — are now part of everyday life for most.

However, cybersecurity remains a problem, and according to Kaspersky, it’s only getting worse: there were 1.5 billion breaches of IoT devices during the first six months of 2021 alone, according to the antivirus provider, almost double from 639 million for all of 2021. This is largely because security has long been an afterthought for the manufacturers of typically inexpensive devices that continue to ship with guessable or default passwords and insecure third-party components.

In an effort to try to improve the security credentials of consumer IoT devices, the U.K. government this week introduced the Product Security and Telecommunications Infrastructure bill (PST) in Parliament, legislation that requires IoT manufacturers, importers, and distributors to meet certain cybersecurity standards.

The bill outlines three key areas of minimum security standards. The first is a ban on universal default passwords — such as “password” or “admin” — which are often preset in a device’s factory settings and are easily guessable. The second will require manufacturers to provide a public point of contact to make it simpler for anyone to report a security vulnerability. And, the third is that IoT manufacturers will also have to keep customers updated about the minimum amount of time a product will receive vital security updates.

Read more on TechCrunch

This new cybersecurity regime will be overseen by an as-yet-undesignated regulator, that will have the power to levy GDPR-style penalties; companies that fail to comply with PSTI could be fined £10 million or 4% of their annual revenue, as well as up to £20,000 a day in the case of an ongoing contravention.

On the face of it, the PSTI bill sounds like a step in the right direction, and the ban on default passwords especially has been widely commended by the cybersecurity industry as a “common sense” measure.

“Basic cyber hygiene, such as changing default passwords, can go a long way to improving the security for these types of devices, Rodolphe Harand, managing director at YesWeHack, tells TechCrunch. “With a new unique password needing to be provided by manufacturers, this will essentially offer an additional layer of protection.”

But others say the measures — particularly the ban on easy-to-guess passwords — haven’t been thought through, and could potentially create new opportunities for threat actors to exploit.

“Stopping default passwords is laudable, but if each device has a private password, then who is responsible for managing this?” said Matt Middleton-Leal, managing director at Qualys. “It’s common for end-users to forget their own passwords, so if the device needed repair, how would the specialist gain access? This is dangerous territory where manufacturers may have to provide super-user accounts or backdoor access.”

Middleton-Leal, along with others in the industry, are also concerned about the PSTI bill’s mandatory product vulnerability disclosure. While sensible in principle, since it ensures security researchers can contact the manufacturers privately to warn of flaws and bugs so they can be fixed — there’s nothing in the bill that requires bugs to be fixed before they are disclosed.

“If anything, this increases risk when the vulnerability becomes common knowledge, as bad actors then have a red flag to focus their efforts upon and find ways to exploit it,” Middleton-Leal added.

John Goodacre, director of UKRI’s Digital Security by Design, agrees that this mandate is flawed, telling TechCrunch: “The policy accepts that vulnerabilities can still exist in even the best-protected consumer technologies with security researchers regularly identifying security flaws in products. In today’s world, we can only continue to patch these vulnerabilities once they are found, putting a plaster over the wound once damage may have already been done. Further initiatives are needed for the technology to block such wounds from happening at the foundational level.”

The third key area outlined in the bill, which details how long devices will receive security updates, is also under fire for fears that it could encourage manufacturers to discount prices once a device nears end-of-life, which could incentivize consumers to buy devices that will soon be without security support.

Some believe the U.K. government isn’t acting fast enough. The bill — which does not consider vehicles, smart meters, medical devices, and desktop or laptop computers that connect to the internet — has given IoT manufacturers 12 months to change their working practices, which means that for the next year, many will continue to churn out inexpensive devices that might not adhere to the most basic of security standards.

“Manufacturers will likely continue to regard speed to market as a priority over device security, believing that this is the primary consideration for maintaining profits,” Kim Bromley, a senior cyber threat intelligence analyst at Digital Shadows, tells TechCrunch.

Bromley also believes that the U.K. will struggle to enforce these regulations against manufacturers based in mainland China (PRC). “Some PRC-based manufacturers release products that are cheaper than other products on the market, and therefore users will continue to buy products that may contain security flaws, or at the very least, do not comply with UK legislation,” said Bromley. “The new requirements will also place huge burdens on UK resellers that may use PRC manufactured products on their own; keeping pace with the requirements and changing working practices could prove difficult.”

The solution, however, remains unclear, though cybersecurity experts seem to universally agree that the U.K. government needs to be flexible in its approach to IoT security, and ensure it doesn’t fall into the common trap of looking only at the past and the present, instead of the future.

“Both attackers and, sadly, unscrupulous manufacturers and vendors, are endlessly creative,” says Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec). “There will inevitably be new avenues of attack that circumvent the demands of the bill, and new vulnerabilities created by lazy manufacturers. As such, this bill has to be seen as one step in an endless process of review and refinement, rather than an end in itself.”