Navigation

Tracking The Internet of Things

Tracking the Internet of Things for the Australian IT community

Navigation

You are here: Home / IoT News Global / UK to mandate consumer IoT security

UK to mandate consumer IoT security

Stuart Corner

ioT security

The UK Government has published proposals for legislation that would mandate consumer IoT security features.

Initially the government is proposing three mandatory requirements, but says the list could be expanded over time:

  • Device passwords must be unique and not resettable to any universal factory setting;
  • Manufacturers must provide a public point of contact so anyone can report a vulnerability;
  • Information stating the minimum length of time for which the device will receive security updates must be provided to customers.

These are exactly the requirements listed when the government foreshadowed its plans for legislation in May 2019.

It is calling for feedback on the proposals, which also set out the scope of the rules, what industry will need to do to comply, and an overview of industry guidance to be produced, as well as information on potential powers granted to the enforcement body.

These could include powers to:

  • Temporarily ban the supply or sale of the product while tests are undertaken;
  • Permanently ban insecure products, if a breach of the regulations is identified;
  • Serve a recall notice, compelling manufacturers or retailers to take steps to organise the return of the insecure product from consumers;
  • Apply to the court for an order for the confiscation or destruction of a dangerous product; Issue a penalty notice imposing a fine directly on a business.

The government says the proposals also aim to future proof legislation in an age of rapid technological change and innovation, and the government is also looking for feedback on these.

It has also published a number of supporting documents: Supporting research: consumer IoT vulnerabilities; Supporting research: evidencing the cost of intervention

; Supporting research: evidencing the cost of intervention – technical report.

The proposals have been drawn up by the Department for Digital, Culture, Media and Sport (DCMS), supported by the technical expertise of the National Cyber Security Centre (NCSC).

They follow the UK introducing, in voluntary code of conduct for consumer IoT device security, introduced in February 2019. DCMS and the NCSC say they also played a vital role collaborating with ETSI in the development of its recently released standard for the security of smart devices.

Growing momentum for legislation

The UK government’s move adds to growing momentum for mandating security of consumer IoT devices. In March 2020 The IoT Security Foundation released a report — Consumer IoT: Understanding the Contemporary Use of Vulnerability Disclosure – 2020 Progress Report  — that the made a strong case for this.

In Australia the government has released a draft voluntary code for consumer IoT security, and called for submsission.

It has not made submissions public but IoTAA has published its submission to the draft code, and cautioned against mandating security requirements for consumer IoT devices.

However lawyers with Clayton Utz, writing on the company’s blog, have suggested adherence to the voluntary code could be enforced by the ACCC.

 

About Stuart Corner

I’ve been a journalist working in IT and telecommunications for 30 years. You can read more about me via the 'about' page of this web site.