What is the UK government’s IoT security law proposal?

What is the UK government’s IoT security law proposal?

The UK’s Digital Minister, Margot James, has proposed new legislation which is designed to tackle the cyber-security threat posed by IoT (Internet of Things) devices and keep users safe.

For some time, IoT security has been a pressing issue. Over the last couple of years connected devices have shown their vulnerabilities. Most notably, it was discovered that CloudPets and Hasbro’s Furry Connect could both be hacked and used to communicate with the children playing with them, posing a big security risk.

Moreover, as the adoption of IoT devices looks set to soar (it is estimated there will be 14.2 billion connected devices by the end of 2019), it’s never been more important for robust security framework that protects users’ data privacy to be in place.

What is the new law suggesting?

The proposed legislation would introduce a new labelling system to tell customers how secure an IoT product is. The idea would be that retailers could not sell a product that does not have a label.

To gain a label and enter the market, new IoT devices would have to:

  • Contain unique passwords, which are not resettable to any universal factory setting
  • Clearly state for how long security updates would be made available
  • Provide a public point of contact as part of a vulnerability disclosure policy

These suggestions are in-line with a voluntary code of practice for IoT manufacturers that was published in the UK last year.

The new law is currently in consultation-stage until mid-2019, where industry experts, device manufacturers, retailers, academics and IoT service providers can all advise on what it would need to address and contain to protect the end-user. Whatever the outcome of the consultation, it will set a precedent for how IoT devices are manufactured and secured in the future.