It’s time to legislate security for consumer IoT devices
Security of the Internet of Things (IoT) — from televisions to refrigerators — is making headlines across the Atlantic, and it should be of great concern here at home. New IoT security legislation is being proposed by the UK government to better secure the hundreds of thousands of devices — beyond just smartphones and laptops — that consumers have connected to the Internet. The proposed legislation has the potential to impact the security of devices made across the world in order to meet the UK’s future standards. That’s important, because as an industry IoT has prioritized new features and functionality over protecting consumers’ security when bringing new products to market. The legislation that is working its way towards law in the UK should be a model for any proposed U.S. legislation on IoT security.
While California’s IoT security law SB-327 banned the use of default passwords, which expose consumers to risk, on IoT devices, nothing else has really been done to address the IoT industry’s widespread security issues. Manufacturers often still fail to provide software and security updates to devices throughout their products’ complete lifecycles. There are generally no means to report security vulnerabilities when they are found. No proper labeling system exists to inform consumers about the security of their IoT device. All are causes for ongoing concern as they put consumers at continued risk.
The UK’s proposed legislation mandates that IoT device makers comply with the top three security requirements that are set out in the UK’s recently published ‘Secure by Design’ Code of Practice for Consumer IoT Security. It is very likely that these requirements will be incorporated into a new labeling system that will show consumers the level of security of the connected devices they purchase.
These proposed requirements include:
- IoT device passwords that must be unique and not resettable to any universal factory setting
- Requiring manufacturers of IoT products to provide a public point of contact as part of a vulnerability disclosure policy
- Mandating that manufacturers explicitly state the minimum length of time for which a device will receive security updates through an end of life policy
These requirements should be the foundation of any proposed legislation in the U.S. on the IoT front. Here’s why:
They directly address IoT manufacturers’ existing security weaknesses while shifting responsibility for security to the IoT manufacturer — where it should be — and away from the consumers who currently bear that burden.
The Code of Practice also addresses a very important security best practice — vulnerability disclosure. No software is perfect, and IoT device manufacturers have completely lagged on developing a proper channel to identify and resolve security vulnerabilities in their software throughout the duration of the product life-cycle. The Code of Practice specifically recommends that manufacturers and industry stakeholders need to improve the security of their products by developing a Vulnerability Disclosure Policy (VDP) or a means to report those vulnerabilities.
Establishing a channel to disclose software vulnerabilities in a smart device is a huge step towards increasing consumer IoT security. A VDP essentially provides a means for anyone to contact an organization to report a vulnerability as well as clear guidelines on how to do so. VDPs are fairly straightforward, easy and cost effective to implement. The experience of the teenager who found the Apple FaceTime bug earlier this year highlights the importance of having a such a policy.
California became a vanguard in the security space last year by passing a law (Senate Bill 327) mandating that any maker of an Internet-connected, or smart device ensures the gadget has ‘reasonable’ security features which ‘protects the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.’ Part of what is considered ‘reasonable’ is banning default passwords in connected devices as each device sold in California must come with a password ‘unique to each device.’ The law goes into effect in 2020 but has been criticized for not going far enough. California should also consider adopting the two other requirements from the UK. As opposed to other situations where waiting for a court to determine ‘reasonableness’ may be appropriate, California should not wait here. IoT breaches can be physically dangerous and result in tremendous economic harm.
Conversations are just starting to take place regarding standards for IoT security in the U.S. at the federal level. Lawmakers and witnesses in front of the U.S. Senate Committee on Commerce, Science and Transportation’s Subcommittee on Security recently debated about how to make IoT devices safer and more transparent for consumers. Cybersecurity experts stated that federal legislation should require basic security standards, like California’s SB-327 does, and also recommended that the federal government and the private sector collaborate on developing an IoT security certification seal similar to the ‘Energy Star’ on energy efficient products. This would be a very good move. In fact, the U.K.’s proposed labeling system has been well received with overwhelming public support.
IoT is an area in which the risk of data breaches is so high, and the impact of them is so great, that requiring labels for one state and not the others makes no sense. It is important to have the right security standards mandated by law at the federal level, standardizing security for all consumer IoT devices. This is exactly what the U.K. is doing. Both the U.S. and the State of California should follow the UK’s footsteps and not wait for a court to determine what is reasonable for consumer IoT product safety.
Security measures need to be built into smart products right from the get-go, not after the fact, and consumer safety should not be sacrificed in exchange for performance or being first to market.
Deborah Chang is VP of Policy and Business Development at HackerOne, an internet security company.