DCMS consults on Internet of Things security

May 1, 2019

The Department for Digital, Culture, Media and Sport is consulting on regulatory proposals regarding consumer IoT security. The consultation ends on 5 June 2019. The proposals seek to better protect consumers’ privacy and online security which can be put at risk by insecure devices. Often, vulnerable devices become the weakest point in an individual’s network and can undermine a user’s privacy and personal safety. Compromised devices at scale can also pose a risk for the wider economy through distributed denial of service attacks such as Mirai Botnet in October 2016.

Among the options are a mandatory new labelling scheme. The label would provide information to consumers about how secure their products are, such as ‘smart’ TVs, toys and appliances. The proposal would mean that retailers would only be able to sell products with an IoT security label.

The consultation follows the Government’s voluntary Secure by Design Code of Practice for consumer IoT security launched in 2018. The Code advocates for stronger cyber security measures to be built into smart products at the design stage, and according to the government, has already been backed by Centrica Hive, HP Inc Geo and, more recently, Panasonic.

The consultation focuses on making the top three security requirements that are set out in the Secure by Design code of practice mandatory. These include that:

  • IoT device passwords must be unique and not resettable to any universal factory setting;
  • Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy; and
  • Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.

The security label will initially be launched as a voluntary scheme to help consumers identify products that have basic security features and those that do not. Alternative options to the label would be to require retailers not to sell any products that do not comply with the top three security requirements of the Code.

The consultation also touches on work with international partners with the aim of ensuring that the guidelines drive a consistent approach to IoT security. The proposals set out in the consultation have the potential to affect security of devices made across the world to meet the UK’s future standards.

A consumer survey report has been released alongside the consultation which tested various label designs with 6,482 UK consumers as part of helping to create a labelling scheme that was backed by evidence, part of a wider evidence-based approach to create regulatory proposals for consumer IoT products.