What does the Product Security and Telecommunications Infrastructure bill mean for me?

The UK’s Department for Culture, Media and Sport (DCMS) introduced a bill to Parliament yesterday. But what does that mean for IoT manufacturers and consumers?

First, this bill has been a long time coming. Many people have been lobbying and working hard to create it. Industry and others with vested interests had to be consulted, draft guidance had to be produced and then acceptable wording had to be agreed.

Numerous researchers including us have been exposing and drawing attention to poor smart product security too.

I’ve expressed concern along the way at attempts from industry to water it down, but the bill as it stands is a good first step towards enforcing IoT security.

The 3 key principles

1. No default passwords
2. Vendor MUST have a vulnerability disclosure policy
3. Vendor MUST be transparent about how long the product will receive security updates for

Banning default passwords will help mitigate issues such as the problem with Sky routers we exposed recently.

However, I’m not clear exactly WHAT passwords will be affected. Does this include all interfaces on the device and API? Passwords for hardware interfaces (JTAG, SPI etc.) are presumably covered too?

It will also help mitigate against undocumented backdoors on smart devices.

The vulnerability disclosure point is interesting. What is a vulnerability disclosure programme? We really hope that it’s a thought out process, one that is as much about about culture and communication as it is about getting things fixed.

A page on a web site with an email address that researchers send reports to, never to be seen again?

Is there anything to cover whether the VDP is actually effective?

I do like the security updates point. Knowing how long the product will be supported for is a big plus. It forces manufacturers to consider how long the product will be on the market for, also how long they will intend to support it for. I wrote a post about this creating some perverse incentives though.

This is a good first step.

IoT device security is so much more involved than default passwords, vulnerability disclosure, and security updates. One of the reasons why IoT security has been so poor is the hugely complex nature of the environment. A product is likely to need:

• Hardware and firmware
• RF (Wi-Fi, Bluetooth etc)
• An API
• A cloud platform and hosting
• Sometimes a payment gateway
• A mobile app
• Often a web app

Getting security right on all of the above is a big task with lots of different sets of expertise required. Whilst UK gov and others have provided guidance (e.g. ETSI 303 645 etc) they are not legally enforceable currently.

That’s why this bill is a first step, to my mind. I was a bit uncomfortable supporting it initially, when consulted nearly 3 years ago. It felt a bit ‘light’. However, I’m assured that DCMS and others will push forward with continuous improvement to the legislation. Hence my public support:

• BBC News: UK seeks to secure smart home gadgets
• BBC News: Plan to secure internet of things with new law

Manufacturers are also assured of having 12 months ‘grace’ from implementation of the bill, to get their devices in order. If any are looking for guidance and future proofing their smart devices, they would do well to read the relevant sections of the EU Cyber Security Act which, fortunately, is very likely to be based on ETSI 303 645 😊

And lets keep pushing for the next big step forward in IoT security, after this first big step.

But more than anything, I’m looking forward to flagging up offending products to enforcement authorities once the bill is law. That ‘4% of global turnover’ fine is a big incentive for IoT vendors to do security right. Bring it on!

A note for consumers

If you experience anything odd with your smart devices, or have issues that suggest non-compliance with the coming legislation, do drop me a line.