In a move that will hopefully improve the cyber security of the myriad of smart devices that we all use; the government is applying pressure on manufacturers. In a recent press release they included a draft Code of Practice. It says:
Draft Code of Practice:
- All IoT device passwords must be unique and not resettable to any universal factory default value.
- Companies that provide internet-connected devices and services must have a vulnerability disclosure policy and point of contact.
- Software must be kept updated. This includes the need for updates to be timely and not impact on the functioning of the device
- Any credentials must be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable
- Security-sensitive data, including any remote management and control, should be encrypted when transiting the internet, appropriate to the properties of the technology and usage. All keys should be managed securely
- Ensure software integrity: Software on IoT devices must be verified using secure boot mechanisms. If an unauthorised change is detected, the device should alert the consumer/administrator to an issue and should not connect to wider networks than those necessary to perform the alerting function
- Ensure that personal data is protected in accordance with data protection law
- Make systems resilient to outages. Resilience must be built into IoT services where required by the usage or other relying systems, so that the IoT services remain operating and functional
- Monitor system telemetry data. If collected, all telemetry such as usage and measurement data from IoT devices and services should be monitored for security anomalies within it
- Make it easy for consumers to delete personal data on devices and products.
- Make installation and maintenance of devices easy
- Validate input data: Data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices must be validated
The government will no doubt want to add these recommendations to the Data Protection Bill that enshrines the General Data Protection Regulations.
As we all become increasingly dependent on smart devices, this can only be a welcome move by government, otherwise, as we disclosed in our post last week, we will all become at risk from identity theft and other online conspiracies.