Blog: Internet Of Things

Security by Design. UK Gov’s first stab at IoT consumer protection isn’t good enough

Ken Munro 07 Mar 2018

Today the Department for Digital, Culture, Media and Sport (DDCMS) published a press release to fanfare their “Security by Design” initiative, which aims to sort out the security shambles which is consumer IoT in the UK.

Sadly, we think the initiative has missed the point. There are already plenty of IoT security standards, including my favourite from the IoT Security Foundation. Through government involvement, there was an opportunity to regulate and legislate in this space, which is what has been missing from all other standards. But the opportunity hasn’t been taken, so it’s just another loose standard.

Here are the key points, gleaned from an early press release, aimed at manufacturers, service providers and developers:

  • All passwords on new devices and products are unique and not resettable to a factory default, such as ‘admin’;
  • They have a vulnerability policy and public point of contact so security researchers and others can report issues immediately and they are quickly acted upon;
  • Sensitive data which is transmitted over apps or products is encrypted;
  • Software is automatically updated and there is clear guidance on updates to customers;
  • It is easy for consumers to delete personal data on devices and products;
  • Installation and maintenance of devices is easy.

So, while manufacturers, retailers and the NCSC may well have been involved, the outcome is a bunch of high-level points that don’t address the big issue- that device manufacturers don’t need guidance: they need an incentive to follow the Security by Design measures, with clear penalties for non-compliance.

Sadly, it changes nothing

Responsible IoT manufacturers are already addressing security. It’s the irresponsible manufacturers who aren’t interested, don’t care about our security or who refuse security on grounds of cost that we need to worry about.

Without ‘teeth’ this standard is meaningless. Manufacturers who already play fast and loose with our security, to make a quick buck from us, won’t change anything.

For example, I’m confident that I could fudge the standard to make My Friend Cayla the swearing doll appear to comply with it. I don’t think it would sufficiently address the issues behind the Mirai IoT botnet that took various social networks down 18 months ago. It doesn’t even appear to cover authentication bypass issues; we’ve found similar on numerous IoT devices from smart thermostats to CCTV to adult toys . That renders the standard pointless, as manufacturers that won’t play ball will simply work around it.

Whilst it’s great to see DDCMS and NCSC making a start on consumer IoT security, this looks to have been released too soon. It’s embryonic and as such can do nothing meaningful or useful.

There are technical holes in the ‘standard’

It states that IoT manufacturers must have a vulnerability disclosure policy. Great. It doesn’t say anything about actually forcing manufacturers to fix issues, which is the bigger problem! We’ve reported loads of IoT security flaws, but rarely is anything actually fixed.

Also, it says that software must be kept updated. For how long? What if the manufacturer cynically end-of-lifes the product in order to avoid maintaining it? That’s happened before and must be considered in the fast-moving retail IoT space.

The first point about unique passwords is so vague as to be pointless. The key point here is about having a source of good randomness (or ‘entropy’) from which to generate passwords. Irresponsible IoT manufacturers can generate unique passwords per device, but they’re easy to predict if they aren’t generated properly. Another option is to load unique keys per device in production, but without randomness, this is again pointless.

Finally, there is no discussion about the mobile devices used to control the IoT product. Mobile apps for IoT commonly have far too many permissions. A great example of this was the Culture Secretary Matt Harwood MP’s recent mobile app, which had way more permissions than it needed for its function. Not exactly Secure by Design!