The ‘Internet of Things’ (IoT) – a rather vague collective term for the random mix of new technology which has now infiltrated our lives. In simple terms, it is the group of devices that are connected to the Internet. From the fridge which tells its owner that the milk is running low, the interrupting virtual digital assistants, to the latest generation of baby monitor which enables you to watch your off spring from the pub. The list and scope of ‘things’ falling in this definition arguably justifies the rather random collective noun. And the rapid growth of this area is predicted to increase exponentially.
Whilst these devices do unquestionably enhance the convenience of our busy lives, there is a worry about the potential invasion to the privacy of homes, the security implications and the unquantifiable levels of data that must be accumulated somewhere.
The UK Department for Digital, Culture, Media and Sport together with the National Cyber Security Centre have developed a Code of Practice for Consumer IoT Security (Code) to implement some controls to protect consumer security around how these devices and technology should operate in homes. Not surprisingly, the Code has identified that a significant number of devices on the market today lack basic security measures.
The Code sets out 13 guidelines, which are aimed at manufacturers and other security stakeholders to improve the security of consumer IoT practices. The guidelines include practical steps and requirements which aim to implement security change throughout the supply chain. The first three guidelines are prioritised as these are envisaged to bring the largest security benefits in the short term. In the top spot is a requirement that all IoT device passwords should be unique and not resettable to any universal factory default setting. Currently most devices rely on the consumer to change the password, which predictably does not always happen, leading to avoidable security issues.
Second, all applicable companies should operate a vulnerability disclosure policy which includes a public point of contact to enable issues to be reported directly. The idea here is to enable the centralised monitoring and collation of security issues that will not only help the individual consumer but in the event of any vulnerabilities in a device that may have widespread implications this information can be shared throughout the industry.
The third guideline requires that the software components of these devices should be securely updatable to enable regular software security updates. Upon purchase the consumer should be informed of the period of software update support and an end of life policy should be published for end-point devices. Software patches should be delivered over a secure channel and the device should be operational during the update.
The remainder of the Code sets out a number of guidelines to help ensure the security of the data stored on the devices, and resilience of the devices to any outages of data networks and power. The Code confirms that all personal data processed on these devices may only be processed in accordance with GDPR and so consumers are given clear and transparent information about how their data is to be used, by whom and for what purpose. Consumers must also be given clear instructions on how they may delete their personal data from a device upon transfer to a third party or on disposal.
Whilst the Code may not be revolutionary nor enable the use of such devices to be risk-free, it does formalise a number of minimum standards which must help to focus the role of manufacturers and other stakeholders in protecting consumer security and data in this fast growing sector.