The UK has introduced the Product Security and Telecommunications Infrastructure (PSTI) bill which promises to protect IoT devices.
Many “smart” devices fail to live up to their name when it comes to security. As manufacturers seek to keep pace with the demand for IoT devices, security is too often an afterthought.
Julia Lopez, Minister for Media, Data, and Digital Infrastructure, said:
“Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.
Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
Among the anything-but-smart security practices that are commonplace is the use of default passwords.
You don’t have to be a seasoned hacker to access the login page of someone’s device and access it using a default password for purposes including stealing company secrets, blackmail, invading privacy, sensitive data collection, and more.
Seasoned hackers can scan for vulnerable devices and use default passwords to add them to botnets like the infamous Mirai.
IoT devices that fall victim to Mirai are identified by asynchronously sending TCP SYN probes to pseudo-random IPv4 addresses on telnet TCP ports 23 and 2323. If an IoT device responds, a telnet connection is attempted using predetermined username and password pairs from a list of known default credentials.
Such botnets harness the unprecedented amounts of widely distributed traffic that IoT devices provide to DDoS services and cause massive damage. One high-profile attack on DNS provider Dyn in October 2016 resulted in several high-profile websites going offline including GitHub, Twitter, Reddit, Netflix, Airbnb, and many others.
The PSTI bill bans the use of default passwords. All devices must come with unique passwords and cannot be resettable to any universal factory setting.
Manufacturers will also be mandated to alert customers at the point of sale, and keep them updated, about how long a product will receive vital security updates and patches for. If there are no such plans in place, that must also be disclosed.
Another key rule is that a point of contact must be made available to make it easier for security researchers and others to report when they discover flaws and bugs in products.
Enforcement will be conducted by a yet-undetermined regulator that will have the power to fine companies for non-compliance up to £10 million or four percent of their global turnover. They will also be able to fine up to £20,000/day for ongoing contraventions.
Any “connectable” product will be subject to the new rules. The only major exemption is for desktop and laptop computers as they are served by a mature antivirus software market.
Dr Ian Levy, Technical Director of the National Cyber Security Centre, commented:
“I am delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security.
The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.”
However, the bill isn’t without its critics.
Martin Tyley, Head of Cyber at KPMG UK, said:
“With companies currently facing a plethora of cyber risks, the PSTI bill simply adds another task to CISOs’ ever-growing list of to-dos.
Manufacturers are already struggling to stave off threat actors and comply with existing legislation – adding another regulation into the mix will only further overwhelm them. Therefore, I believe that all cyber security regulation and legislation must come with accompanying guidelines and support for the industries expected to comply with them.
Regulators and the UK Government have a view of the cyber threats these organisations face that goes well beyond what any one player in the industry could expect to understand. There is, therefore, a responsibility to explain why it’s coming into effect and how to consider its implications.
We could end up seeing CISOs having no choice but to comply with these new IoT security rules on an individual basis, rather than thinking about their security posture more holistically. This could end up threatening their customer relationships, profit potential and market position if they aren’t well-prepared for the future.
This will be most damaging for smaller organisations who do not have the funds to invest even more into their cyber security function. It is these manufacturers who will miss the mark on product security and privacy and may risk losing market share to competitors who get it right.”
Following the bill achieving Royal Assent, relevant industry players will be given at least 12 months to comply with the new rules.