The UK's new telecoms bill will boost IoT security

There were about 1.5 billion IoT cyberattacks globally in just the first six months of 2021, more than double the same period in 2020

Image:
There were about 1.5 billion IoT cyberattacks globally in just the first six months of 2021, more than double the same period in 2020

The legislation will ban manufacturers from selling IoT devices with default passwords

The UK government has introduced new legislation that aims to protect consumer tech from emerging cyber security threats.

The Product Security and Telecommunications Infrastructure (PSTI) Bill applies to all 'connected' gadgets, such as smartphones, smart TVs, smart toys, smart hubs, smart fridges and so on. It is intended to clamp down on the sale of unsecure smart products and Internet of Things (IoT) devices in the UK.

The bill would require all smart product manufacturers, importers and distributors to comply with new security requirements. At present, they must follow standards that prevent them from causing physical harm from issues such as overheating, electric shock or sharp components; but there is no regulation to protect customers from the damage caused by cyber breaches.

"Every day, hackers attempt to break into people's smart devices," said Julia Lopez, minister for media, data and digital infrastructure.

"Most of us assume if a product is for sale, it's safe and secure. Yet many are not, putting too many of us at risk of fraud and theft."

The IoT industry is notoriously lax when it comes to security. Many devices are sold without passwords, or with default passwords that do not need to be changed before the device can be used.

The new bill would ban manufacturers from setting easy-to-guess default passwords on devices. It mandates that all factory-loaded default passwords in new devices, like routers, must be unique and 'not resettable to any universal factory setting'.

Manufacturers will need to be transparent with their customers about disclosing and addressing security bugs in their products. They will also have to create a public reporting system for flaws discovered in their devices.

In addition, businesses will have to declare the minimum amount time for which they will support their products with security updates and patches. If a product will not be patched, that must also be disclosed.

A page out of the GDPR

Companies that fail to comply with the new rules could be issued financial penalties as high as £10 million, or four per cent of their total global revenues. Those who are found guilty of ongoing breaches could face fines of up to £20,000 per day.

The government is planning to designate a new regulator to oversee compliance with the new law when it comes into force. In addition to financial penalties, the regulator will also be able to mandate product recalls or even instruct companies to stop selling certain devices in the UK in cases of noncompliance.

The legislation comes amid a massive rise in the use of IoT devices in the UK and globally. However, cyber attackers on these devices are becoming more common every year.

Earlier this year, consumer protection group Which? published the findings of a study suggesting that smart homes could face more than 12,000 cyber-attacks in a single week.

Hackers who access one vulnerable device can go on to access entire home networks and steal confidential data, thanks in part to lax security.

Way back in 2014, hackers were able to use a compromised heating and air conditioning control unit to steal data from US retailer Target. Three years later, in 2017, a US casino lost data via an attack that began in an internet-connected fish tank.

In 2019, security experts from Unit 42 discovered a new variant of the Mirai IoT malware that was specifically targeting LG TVs and the WePresent wireless presentation system.

IoT attacks are growing, but the new law should at least remove much of the 'low-hanging fruit' in the UK.