The UK government’s attempt to shore up internet-connected devices has been slammed as ‘meaningless’ by technology experts.
Industry experts have branded the new measures, introduced to tackle IoT security concerns, as needing ‘more teeth’. The guidelines include moves to make sure passwords are unique and not resettable to a factory default and that sensitive data transmitted via apps is encrypted.
However the guidelines are not binding, with industry experts claiming that many ‘irresponsible’ manufacturers’ would not be stopped by the measures. Ken Munro, an analyst at security firm Pen Test Partners, said: "It’s a good start but misses too much to be of great use. Responsible IoT (internet of things) manufacturers are already addressing security. It’s the irresponsible manufacturers who aren’t interested, don’t care about our security or who refuse security on grounds of cost that we need to worry about.
He added: "Without ‘teeth’, this standard is meaningless. Manufacturers who already play fast and loose with our security to make a quick buck from us won’t change anything."
Other suggestions made in government guidelines include, ensuring device manufacturers have a point of contact so that security researchers can report issues immediately as well as making sure automatic software updates. Guidelines on making it easy to delete personal data as well as simplifying installation and maintenance of devices is also included.
The government estimates that every household in the UK owns at least 10 internet-connected devices – a figure that is expected to rise to 15 by 2020. Concerns over hackers entering the home via smart devices has been a growing concern over the last year or two, especially with the rise in popularity of voice-activated assistants.
In January, cyber security experts at F-Secure published a damning report which urged governments to introduce IoT regulations or risk a ‘dystopian future’. The report entitled Internet of Things: Pinning down the IoT warns that the Internet of Things represents a considerable threat to consumers due to inadequate regulations regarding security and privacy.
Pointing out the fact that the number of connected devices now likely exceeds the human population of Earth, millions of connected devices have already been compromised by the Mirai botnet. The report also says that many consumers aren’t aware of inherent risks of their connected devices and that manufacturers often rush products to market without considering basic security requirements and settings.
“This situation could create an even more frightening scenario than the UK tabloid newspapers’ ‘phone hacking’ scandal, due to a massive adoption of insecure IoT devices,” the report states.
Principal security researcher at Kaspersky Lab David Emm believes that both consumers and manufacturers need to be aware of security threats to IoT products in order to tackle the problem.
“Unfortunately, if smart devices aren’t secure cybercriminals can take control of them,” Emm said. “Until recently, this seemed like the stuff of sci-fi movies. There are some basic practices that should be followed by everyone, from individual consumers to the largest global enterprises. These include: using strong passwords, regularly checking for and installing software updates, and implementing appropriate security software.
“There is also a role for the manufacturers of connected products and the security industry. We need to work together to ensure that strong protection and patch management is designed-in from the very start. Once a product is on the market, it is already too late.”
He added: “There’s also a role for governments, in developing security standards for IoT devices. We’ve all come to expect that everyday objects – children’s toys to furniture – come with certification marks indicating that they are physically safe. In future, this will have to extend to digital objects and IoT products also.”