show image

NCSC: Retailers should stop selling insecure connected devices

The National Cyber Security Centre has urged retailers to stop stocking internet connected devices which fail to meet new government cyber security guidelines.

In recent months, industry experts have raised concerns about the prospect of smart toys, webcams and connected TVs being used to spy on their owners and enlisted in botnet attacks. The new guidelines, packaged as a voluntary code of conduct, have been designed by a panel of security experts to crack down on these kinds of hacks.

The code outlines a series of measures manufacturers should take to protect their products. Among the thirteen recommendations, it calls for companies to adopt a disclosure vulnerability policy, to stop using default usernames and passwords and to build devices which can be issued with security updates.

While the guidelines are voluntary, NCSC’s technical director, Ian Levy, said it was essential retailers put pressure on manufacturers to adopt them. “We want retailers to only stock internet-connected devices that meet these principles, so that UK consumers can trust that the technology they bring into their homes will be properly supported throughout its lifetime.”

“Legislation will follow”

A spokesperson for the Department for Digital, Culture, Media and Sport told NS Tech that the code would give businesses time to implement the measures before the government legislates in the area. It’s not yet clear when the legislation will be drafted or come into effect.

HP and Centrica Hive are the only companies to have signed up to the scheme so far. “While it’s positive that some large technology companies have already announced their backing of the new code, I suspect that smaller companies may be in less of a hurry to sign up,” said Redscan CTO Andy Kays.

John Sheehy, vice president of strategy at IOActive, added that the code was “a step in the right direction” but that “it’s unlikely that the industry will act upon it, given that it is voluntary.”

“Unfortunately, many manufacturers of these devices are more concerned with getting a minimally viable product to market than whether or not it is secure,” he added. “As a result, many IoT devices expose their owners to significant risks.”

DCMS said that even though the code is voluntary at the moment, it will help organisations to ensure their smart devices comply with the EU’s General Data Protection Regulation. Businesses which fail to do so are liable to fines of up to 4 per cent of their annual global turnover.

“Security by design”

A key aim of the code is to ensure devices abide by the principles of “security by design”, which refers to a software engineering process that puts security at the centre of the service or product under development.

“Today we design our commercial products with security built-in not bolted on, not only designed to protect, but also to detect and self-heal from cyber-attacks,” said HP’s UK managing director George Brasher. “We are delighted to be joining forces with the UK Government in our shared ambition to raise the bar broadly in consumer IoT device security, starting with the connected printers we are all used to at home.”

California has recently passed an information privacy bill that outlaws default passwords such as “admin, admin”. The European Union is also in the process of drafting a new Cybersecurity Act to crackdown on security flaws in internet connected devices. It is expected to be passed into law later this year and will include a grace period for businesses to put the new rules into practice.