Given that there have been some high-profile instances involving connected toys and cameras, this is welcome news. In a perfect world, users should be educated in the basics of IT security such as changing the default password, but sadly it’s case of getting a gadget out of the box and setup as fast as possible.
The Government is consulting on a “Secure by Design” initiative which intends for basic cyber security features to be built into products and for consumers to get better information on how secure the devices are.
Much like food packaging or the energy ratings on white goods, the Government is proposing a mandatory labelling scheme that states the security level of the gadget. Only goods with the applicable “IoT” label could be legally sold in the UK.
The consultation proposes three essential requirements for internet-connected gadgets.
- Device passwords must be unique without any standard factory setting
- The minimum duration for which the device will receive security updates must explicitly stated
- A public point of contact as part of a vulnerability disclosure policy must be given
Point 3 isn’t directly for consumers but rather for security researchers who will be able to directly contact organisations about security issues. All of these points will be a significant deterrent to the “cheap’n’cheerful” IoT gadgets that typically come in from China with zero support.
Overall, this is a very welcome consultation and I would encourage readers to review the proposals and feedback on the options. This is very much about protecting ourselves and our families and reducing the risk of being hacked. For too long, manufacturers have got away with having little responsibility for their devices after they’ve been bought and these ideas address that balance.
If you want to know more on the consultation and comment on the proposals, it’s over here.