Following an informal consultation earlier this year – as covered by our previous IoT Update here – the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) published the final version of its Code of Practice for Consumer IoT Security (“Code”) on Oct. 14, 2018. This was developed by the DCMS in conjunction with the National Cyber Security Centre, and follows engagement with industry, consumer associations, and academia. The aim of the Code is to provide guidelines on how to achieve a “secure by design” approach, to all organizations involved in developing, manufacturing, and retailing consumer Internet of Things ‘IoT’ products. Each of the thirteen guidelines are marked as primarily applying to one or more of device manufacturers, IoT service providers, mobile application developers and/or retailers categories.
The Code brings together what is widely considered good practice in IoT security. At the moment, participation in the Code is voluntary, but it has the aim of initiating and facilitating security change through the entire supply chain and compliance with applicable data protection laws. The Code is supported by a supplementary mapping document, and an open data JSON file which refers to the other main industry standards, recommendations and guidance. Ultimately, the Government’s ambition is for appropriate aspects of the Code to become legally enforceable and has commenced a mapping exercise to identify the impact of regulatory intervention and necessary changes.
The Code highlights the first three Guidelines as quick wins – bringing about the greatest security benefits in the short term – and urges IoT stakeholders to prioritize them. These are:
- Unique passwords: avoid the use of IoT device default passwords (e.g. avoid universal default usernames and passwords, or leaving it up to the consumer to change them);
- Vulnerability disclosure: all IoT device and services suppliers should implement a vulnerability disclosure policy (e.g. provide a public point of contact so that security researchers and others can report issues, which should be acted upon in a timely manner); and
- Secure, updated software: keep software up to date in IoT devices (e.g. regularly issue or install software patches).
While there are no significant substantive changes from the earlier consultation version, all of the guidelines have been changed from imposing the measure as a ‘must’, instead to the lesser form of a ‘shall’ or ‘should’ in its present form.
The thirteen Guidelines are summarized below:
The Code is again accompanied by additional explanatory notes, which expand on some of the Guidelines. In particular, the note on Guideline 2 discusses Coordinated Vulnerability Disclosure and the security benefits of disclosing vulnerabilities in IoT devices, putting companies ahead of the threat of malicious exploitation and giving them an opportunity to resolve vulnerabilities in advance of a public disclosure (both in individual and systemic circumstances). The note on Guideline 3 provides additional detail in comparison to the earlier consultation version, and explains the importance of timely software updates, even where the patching process may involve multiple dependencies on other organizations, such as manufacturers of subcomponents.
Leading IoT manufacturers have already signed up to the Code, and the UK Government has encouraged other manufacturers and retailers to do so as well. You can find the full text of the Code on the DCMS website here and a pdf version here. You can find the Code translated into French, German, Japanese, Korean, Mandarin, Portuguese and Spanish here. The DCMS will periodically review the Code and publish updates at least every two years. Our team at Covington will continue to monitor progress and will post on future developments.