The U.K. government has, and not before time, many would argue, moved to introduce legislation that will ban the use of dumb passwords in so-called smart devices.
The Product Security and Telecommunications Infrastructure (PSTI) Bill has yet to become law; according to government sources that will happen as soon as parliamentary time allows. This means that we should see the law come into play in 2022.
However, what has happened already is that the legislation has been published, and we now know what the months and years of consultation and industry expertise have brought to bear.
What consumer security protections will the new law introduce?
In effect, the PSTI Bill will provide for three regulatory steps to shore up the security sinkhole as it applies to smart devices:
- Default, factory set, weak passwords will no longer be allowed. Instead, all relevant devices will need to come with unique passwords that cannot be set back to a single, universal, factory default.
- A contact for researchers, hackers, bug bounty hunters and the like to report security vulnerabilities must be published publicly.
- Consumers must be advised of the period for which the device they are buying will receive security updates, and so advised at the point of purchase. If the device cannot receive such updates or patches or won’t get any, that must be declared.
“One of the most commonly used attack vectors is through default passwords, which are easy to guess and preloaded on multiple devices,” George Papamargaritis, a director at Obrela Security Industries, said. “The fact that this new legislation bans default passwords is a huge step forward and it will encourage device manufacturers to consider security before marketing products, otherwise they could face business destroying fines.”
“We’re getting to a place where security by design will be a mandatory requirement and not an afterthought,” Laurie Mercer, a security engineer at HackerOne, said. “This is a significant milestone towards more secure consumer connectable products, and shows the U.K. is leading in creating a safe digital connected society.”
What smart devices will be covered by this new law?
What devices are covered? Well, it’s consumer goods legislation and covers routers, security cameras, games consoles, TVs, smart speakers and assistants, baby monitors, doorbells and, yes, smartphones. It doesn’t cover laptops and desktops, medical devices, cars, or smart meters.
This is a good step forward in that the law will apply to both manufacturers of the devices and those who import and sell them. It will be overseen by an as yet to be appointed regulator and come with fines of £10 million or 4% of global revenues; ongoing breaches can carry a daily £20,000 penalty. Of course, California already has Senate Bill 327 that requires similar password rules and came into effect on 1 January 2020.
Overall, it’s a good thing but has limitations as many smart devices are pretty stupid when it comes to security and have no ability for firmware patching; the law will only require it to be declared there are none. Even for those that can be patched, there’s no requirement for this to be automated. Without such automation, most consumers will not bother and declaring that vulnerability could make the device less secure as threat actors will then find exploits.
The expert opinion: an interview with David Rogers MBE
I’ve been chatting with David Rogers MBE, the CEO at Copper Horse and chair of the GSM Association (GSMA) Fraud and Security Group. Rogers also sits on the executive board of the Internet of Things Security Foundation. With more than 20 years of experience in embedded device security, David volunteered to draft a set of technical requirements, which ended up with the U.K. Code of Practice for Consumer IoT Security.
“The government always said if they didn’t see improvement to the market situation that they were prepared to legislate and regulate,” Rogers says, “and we’re here now where there is demonstrable market failure.” He points to research by his company that found four out of five IoT device companies didn’t have any way for security researchers to contact them, for example. “That is a truly shocking state of affairs and is really the tip of the iceberg,” Rogers continues, “what does it say about the ability of these companies to secure their own products?”
An important first step
Rogers agrees that the new PSTI Bill is a first step that addresses the top three mandates of the code of practice. “This to me hits the major issues, and if we only resolve those parts, we go a long way to protecting consumers,” he says. But it’s far from the end of the story, and the key message to the industry has to be, Rogers insists, “why wait? What is your excuse? Bad stuff is happening, and it’s IoT manufacturers’ responsibility to be part of the solution, not the problem!”
Rogers admits it’s a difficult challenge because it should be a constantly moving target if you think about product security. If a vulnerability is discovered, it should be addressed and patched if possible. “That’s why it really comes down to that point about how long vendors are providing security updates for,” he says, “and providing that information clearly to consumers and retailers.”
A baseline of security across all electronic devices?
But what about the covered devices, or rather those that aren’t? “Of course, I want to see a baseline of security across all electronic devices,” Rogers continues, “but there are clearly sectoral differences and already existing regulation, particularly in the automotive and medical sectors. They cover safety aspects that go above and beyond where we are here, and it doesn’t seem to make sense to land grab those spaces.”
Rogers also thinks that an impact is being made even before the legislation gets Royal Assent and becomes law. “Interest in conformance schemes for IoT security in the industry has gone through the roof,” he says, “simply with the threat of legislation by a host of countries.” To be fair to the responsible companies out there, Rogers points out that they have been pushing for this too. “GSMA’s excellent IoT security work was underway in 2014, already drawing on existing work from the mobile device space,” he says, “what we’ve seen is an alignment across government, industry and also the hacking community. Everyone knows what the problems are and, crucially, how to fix them. So, let’s do it!”
We can’t look back and fix the past
When it comes to the existing volume of smart devices already in the market, Rogers take a pragmatic view. “One thing many of us were conscious about was not adding to the already-existing mountain of IoT e-waste or unnecessarily penalizing people who can’t afford expensive products,” he says. “We can’t look back and fix the past,” Rogers concludes, “but we can look forward, and the lifecycle of technology is still very swift. More broadly, it is more about bad practices that we’re seeking to eliminate, and we’re seeing a broad swathe of work that is intolerant to poor and unacceptable engineering practices, whether it be around supply chain security or protecting people’s privacy.”
“This is the start of a huge movement towards a safer online society, but it won’t be changing overnight,” Jake Moore, a cybersecurity specialist at ESET, concludes. “These proposals are exactly what is required to help guide people in the right direction after typical security measures by design haven’t been strong enough to help those who desperately need it.”