The Government states
Options that the Government will be consulting on include a mandatory new labelling scheme. The label would tell consumers how secure their products such as ‘smart’ TVs, toys and appliances are. The move means that retailers will only be able to sell products with an Internet of Things (IoT) security label.
The Government will be consulting on options including a mandatory new labelling scheme. The label would tell consumers how secure their products such as ‘smart’ TVs, toys and appliances are. The move means retailers will only be able to sell items with an Internet of Things (IoT) security label.
The consultation focuses on mandating the top three security requirements that are set out in the current ‘Secure by Design’ code of practice. These include that:
- IoT device passwords must be unique and not resettable to any universal factory setting.
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.
- Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
Following the consultation, the security label will initially be launched as a voluntary scheme to help consumers identify products that have basic security features and those that don’t.The Consultation Document states
As the technological advances of the 21st century continue to accelerate, consumers are bringing more and more ‘smart’ devices (i.e. consumer IoT products) into their homes, such as smart TVs, internet connected toys, smart speakers and smart washing machines. The Internet of Things (IoT, also known as ‘internet-connected’ or ‘smart’ products) is already being used across a range of industries and it is delivering significant benefits to the lives of its users.
In the future, we expect an ever increasing number of more developed consumer Internet of Things products and services. These devices will be able to anticipate and meet their users’ needs and will be able to tailor information specifically to them across everything from home energy to security. This will offer users the opportunity to live more fulfilling lives; saving time, effort and money.
As with all new technologies, there are risks. Right now, there are a large number of consumer IoT devices sold to consumers that lack even basic cyber security provisions. This situation is untenable. Often these vulnerable devices become the weakest point in an individual’s network, and can undermine a user’s privacy and personal safety. Compromised devices at scale can also pose a risk for the wider economy through distributed denial of service (DDOS) attacks such as Mirai Botnet in October 2016.
The UK Government takes the issue of consumer IoT security very seriously. We recognise the urgent need to move the expectation away from consumers securing their own devices and instead ensure that strong cyber security is built into these products by design.
We have previously stated our preferred an approach whereby industry self-regulate to address these issues, but that we would consider regulation where necessary. In October 2018 we published a Code of Practice for IoT Security, alongside accompanying guidance, to help industry implement good security practices for consumer IoT.
Despite providing industry with these tools to help address these issues, we continue to see significant shortcomings in many products on the market.
We recognise that security is an important consideration for consumers. A recent survey of 6,482 consumers has shown that when purchasing a new consumer IoT product, ‘security’ is the third most important information category (higher than privacy or design) and among those who didn’t rank ‘security’ as a top-four consideration, 72% said that they expected security to already be built into devices that were already on the market1. It’s clear that there is currently a lack of transparency between what consumers think they are buying and what they are actually buying.
Our ambition is therefore to restore transparency within the market, and to ensure manufacturers are clear and transparent with consumers by sharing important information about the cyber security of a device, meaning users can make more informed purchasing decisions.
Having worked with stakeholders, experts and the National Cyber Security Centre (NCSC), we are now consulting on proposals for new mandatory industry requirements to ensure consumer smart devices adhere to a basic level of security. The proposals set out in this document seek to better protect consumers’ privacy and online security which can be put at risk by insecure devices.
We are mindful of the risk of dampening innovation and applying a strong burden on manufacturers of all shapes and sizes. This is why we have worked to define what baseline security looks like, in line with the ‘top three’ guidelines of the Code of Practice. Our ambition is for the following security requirements to be made mandatory in the UK. These are:
- All IoT device passwords shall be unique and shall not be resettable to any universal factory default value
- The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues
- Manufacturers will explicitly state the minimum length of time for which the product will receive security updates.
Meeting these practical and implementable measures would protect consumers from the most significant risks (such as the Mirai attack in 2016). This would also restore transparency in the sector and allow consumers to identify products that will meet their needs over the lifespan of the product. In addition, mandating vulnerability disclosure policies will enable an effective feedback mechanism to operate, between the security research community and manufacturers.
One of the core aims of the consultation is to listen to feedback on the various implementation options we have developed in partnership with industry and stakeholders. These include the following three options:
● Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self declare and implement a security label on their consumer IoT products
● Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with the burden on manufacturers to self declare that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security and the ETSI TS 103 645
● Option C: Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self declare and to ensure that the label is on the appropriate packaging
Later this year, the security label will initially be run on a voluntary basis until regulation comes into force and the government will make a decision on which measures to take forward into legislation following analysis of the responses received through this consultation. We recognise that any regulation will need to mature over time, and additional information for this approach is within the consultation stage impact assessment ‘mandating security requirements for consumer IoT products’
