The IoT Alliance Australia (IoTAA) is against mandating security for consumer IoT devices. The UK plans to do just that, with good reason.
In November I reported that Australia’s Home Affairs minister, Peter Dutton, had released a for-comment draft of a code of practice that closely follows a voluntary code introduced by the UK Government in October 2018. The draft also aligned with ETSI TS 103 645 – Cyber Security for Consumer Internet of Things, which underpins the UK code.
Submissions to the Australian draft code Securing the Internet of Things for Consumers closed on 1 March. They have not been made public. However development of the code is closely tied to the development of the 2020 Cyber Security Strategy, for which the Government says: “We would now like to hear your views on the Internet-of-Things (IoT) Code of Practice.”
Public submissions for that project are available.
Separately IoTAA has published its submission to the draft consumer IoT code in which it cautions against mandating security requirements for consumer IoT devices.
Meanwhile the UK is looking to move beyond its voluntary code and mandate security requirements for consumer IoT devices.
Decisive action needed
Last year the UK Government initiated a consultation on regulatory proposals for consumer IoT security, which concluded on 5 June 2019. Its response to that consultation was submitted to Parliament in January. In it the Minister for Digital and Broadband, Matt Warman, said:
“Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cyber security is built into these products by design. Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers.”
In short, the voluntary code of conduct is not working.
Warman said the regulatory proposals set out in the consultation advocated mandating the most important security requirements in the guidelines and the ETSI Technical Specification (TS) 103 645. He listed these as:
– IoT device passwords must be unique and not resettable to any universal factory setting;
– Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy;
– Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.
These requirements are mirrored in the proposed, voluntary Australian guidelines.
- IoT device (and associated backend/cloud account) passwords should be unique, unpredictable, complex and unfeasible to guess, and not resettable to any factory default value that is common to multiple devices.
- IoT device manufacturers, IoT service providers and mobile application developers should provide a public point of contact as part of a vulnerability disclosure policy in order for security researchers and others to report issues.
- Software (including firmware) on IoT devices, including third party and open source software, as well as associated web services, should be securely updateable. Updates should be timely and not impact the device’s functionality. … The device should verify that updates are from a trusted source, eg via use of a trusted digital signature. Updates should be distributed via secure IT infrastructure to mitigate the trusted source being compromised.
Legislation will always lag
There has been no suggestion from the Australian Government that these requirements be mandated, but IoTAA has anticipated this possibility. In its submission it argues against mandating security requirements for consumer IoT devices, saying:
“While there are moves in the United States and the United Kingdom to introduce accreditation schemes into law, we do not recommend mandating schemes through legislation because technology, and especially its security, is a rapidly moving landscape. Before standards are set, let alone legislated, the technology has moved and those with malicious intent have discovered other vectors of attack, thereby rendering the standards and associated legislation redundant.”
Instead, IoTAA advocates an industry-led voluntary certification and labelling scheme, saying this can best be achieved through the creation of a Security Trust Mark (STM) scheme that would “send a strong signal to vendors of IoT products and services to build in security into their products and practices, and to advertise their security compliance as a competitive advantage.”
Well, there is nothing in the UK’s principles of legislation that should handicap manufacturers from keeping abreast of technology, except perhaps requirement number three.
“Manufacturers of IoT products explicitly state the minimum length of time for which the device will receive security updates.”
Upgradability means vulnerability
IoTAA says of this:
“Any device capable of accepting either a software or firmware update remotely has an increased attack surface. This then requires appropriate levels of security to prevent rogue actors updating the device or solution, thus adding complexity and cost.”
However the draft, voluntary principles states:
“The device should verify that updates are from a trusted source, eg via use of a trusted digital signature. Updates should be distributed via secure IT infrastructure to mitigate the trusted source being compromised.”
The risk of a compromise through compromising the upgrade process are surely less than from software that must sit unchanged for years. Vulnerabilities are frequently discovered in software that must be patched to prevent them being exploited.
Limited non-legislative levers
A trust mark is all very well in theory but there will always be a level of ignorance in the population and there will always be people who will buy on price rather than performance.
When it launched its consultation last May, the UK Government said in its Mandating Security Requirements For Consumer ‘IoT’ Products document:
“Relying on industry to self-regulate and voluntarily address the problem has not worked, with key disincentives for industry centred around cost of amending product lines across the supply chain. Moreover, companies who try investing resource into ensuring their products are secure can end up losing competitive advantage over their rivals. … The Code encourages manufacturers to act responsibly by embedding good practice security requirements into their products …. However, with the Code being voluntary and there being no coherent legislation in place, there are only limited soft levers that Government can use to incentivise manufacturers and retailers to take action (e.g. voluntary pledging and voluntary labelling schemes).”
The Australian Government is presently in catchup mode on initiatives to secure consumer IoT devices. Consultations on our draft code have just closed.
The UK has had its voluntary code in place since October 2018. It does not appear to be solving the problem of insecure consumer IoT devices. Perhaps Australia should take note and move straight to drafting appropriate legislation.