- Employee awareness
- 7 min read
The IoT is predicted to grow to more than 64 billion devices by 2025, and as they become more integrated into our lives, we’re also giving them more access to our personal information.
But IoT’s increasing popularity means cybercriminals are designing attacks to specifically target its vulnerabilities.
Security concerns about IoT continue to grow, and so does the debate around the need for regulation.
IoT devices have access to a treasure trove of personal data, but it is well known these devices have security issues that make them vulnerable, such as weak default passwords and software flaws.
These devices are prime targets for hackers because they handle data about us, our homes and our businesses. They can even allow cybercriminals to enter a network and steal information or cause damage.
The Internet of Things...
The Internet of Things (IoT) is the network of connected devices that can collect and exchange data via an internet connection.
It is made up of billions of smart products that incorporate everyday devices, sensors and systems.
These products range from tiny sensors that track things like calories and humidity, to connected devices that span entire cities.
...and its devices
Security: cameras, doorbells
Energy: smart meters, smart plugs
Entertainment: televisions, games consoles
Appliances: coffee machines, refrigerators, ovens
Smart speakers: voice-controlled devices (eg Google Home, Alexa)
Vehicles: smart cars, charging points
Regulation will play an important role in imposing shared responsibility for IoT security on manufacturers, retailers and consumers. Defined rules and legislation will also help clarify where liability lies – a strong incentives for manufactures to increase security.
Few IoT devices are currently secure by design, but new laws have been proposed to better protect the data these connected devices handle.
The UK Government released its voluntary Code of Practice for Consumer IoT Security in 2018. It formed part of its Secure by Design report.
It sets out thirteen guidelines for manufacturers, service providers and retailers to ensure IoT devices are secure to use by design:
Do not use default passwords
Implement a vulnerability disclosure policy
Keep software updated
Securely store credentials and sensitive data
Minimise exposed attack points
Ensure software integrity
Ensure that personal data is protected
Make systems resilient to outages
Monitor system telemetry data
Make it easy for consumers to delete personal data
Make installation and maintenance of devices easy
Validate input data
The Government believes that everyone should benefit from connected technology safely, knowing security and privacy measures are in place.
The Government has also proposed new legislation to introduce a security labelling system. This will show customers how secure an IoT device is at the point of purchase.
To gain a security label, a device must:
Use unique passwords by default.
Clearly state how long security updates will be available.
Offer a public point of contact for cybersecurity vulnerabilities.
The new law could eventually bar retailers from selling IoT devices without security labels.
Global manufactures may, therefore, need to ensure their products meet UK standards before they can be sold here.
Industry standards for internet-enabled devices were recently issued by the European Telecommunications Standards Institute (ETSI) Technical Committee on Cyber-Security.
These standards are the first to apply to a range of devices globally and are based on the UK’s Code of Practice.
Some data handled by IoT devices is also covered by the General Data Protection Regulation (GDPR). It emphasises privacy by design and states that personal data must be handled securely. GDPR applies to the personal data of all EU residents.
In 2018, California became the first American state to pass a law aimed specifically at manufacturers and retailers of IoT devices. Under the law, which comes into effect in 2020, every connected device in the state must be equipped with ‘reasonable’ security features, such as a unique password.
Japan recently launched a campaign to test 200 million devices by attempting to access them with default passwords.
Once the campaign is complete, the Japanese government will inform IoT providers of the issues and instruct them to fix the vulnerabilities.
Australia has proposed a certification for IoT devices to meet certain requirements.
The requirements include using non-default passwords, software updates to fix vulnerabilities and to not expose ports to the wider internet.
Legislation to protect IoT devices and the data they hold will help regulate aspects that were originally beyond user control.
But implementing effective regulation comes with many challenges. For regulation to be effective, it needs to be coordinated on an international scale – a process that is both complicated and time-consuming.
Legislation needs to cater for manufacturers, retailers and consumers. It must regulate and but also educate them about data security at every stage of an IoT device’s lifecycle.
Whether IoT will be managed by government legislation or industry self-regulation remains to be seen – it could even be both.
In the meantime, we must each do all we can to protect ourselves, our data and our devices.
We have created a free ‘Your Guide to the Internet of Things (IoT)’ eBook to help answer the many questions surrounding the subject.
Download your copy now to get up to speed on the IoT.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51