The UK Code of Practice for Consumer IoT Security

The Internet of Things (IoT) has a poor reputation when it comes to security. Manufacturers and IoT service providers often do not implement appropriate security measures. Businesses and consumers are not aware of security concerns and typically do not change the default passwords nor update the pre-installed software. To improve the situation, the UK Government has released in mid-October a code of conduct to bring security to consumers IoT products.

IoT security is too easy to ignore. What could happen with these IoT devices if they are not properly secured?

U.K. Code of Practice

The UK Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have published new recommendations in a 24-pages document to fight the insecurity of IoT products for consumers. The report, Code of Practice for Consumer IoT Security, is also relevant for industrial and business IoT security. The document focus is to deliver IoT products that embed security by design, rather than a “patch” afterthought.

IoT products deliver a range of technologies that have become increasingly common in businesses, manufacturers, and homes, making the industry more efficient and safer, and people lives easier. We entrust ever more data to online devices and services. The cybersecurity of these products is equally as important as their physical security. The guidelines provided by the DCMS can help all parties to ensure that their products are secure by design and stay secure all along the product life.

Who is Impacted?

Those who provide products and services supporting IoT are the stakeholders who should commit to following the code of practice. The stakeholders include:

• IoT device manufacturers — These are organizations that produce the assembled Internet-connected products (hardware and software) which may contain the products of other manufacturers.
• IoT service providers — These are businesses that provide services that include networks, cloud storage, and data transfer. These may be packaged as part of IoT solutions as well as Internet-connected devices offered as part of the service.
• Mobile application developers — These are businesses that develop and provide applications which operate on mobile devices. These may be offered as a means of interacting with IoT devices.
• Retailers — These are the marketers and sellers of Internet-connected products and services.

The Code of Practice. Credit to DCMS.

The 13 Code of Practice Guidelines to Follow

The following guidelines should be verified by the customer when IoT devices are purchased and/or IoT services are subscribed to.

1. Default passwords — Many IoT devices are being sold with universal default usernames and passwords. The customer is expected to change the password before use. All IoT device passwords shall be unique and not resettable to any universal factory default value.
2. Vulnerability disclosure policy — Anyone who offers Internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy. This allows security researchers and others to be able to report issues in a timely manner.
3. Software updates — Software resident in Internet-connected devices should be securely updateable. Updates should not impact the functioning of the device and be delivered in a timely manner.
4. Store credentials and sensitive data securely — Any credentials should be securely stored within IoT services and devices. Hard-coded credentials are not acceptable in device software.
5. Secure communications — Using open, peer-reviewed Internet security standards is highly recommended.
6. Limit exposed attack surfaces — Security-sensitive data should be encrypted when communicating, including any remote management and control. All keys should be securely managed.
7. Software integrity — IoT device software should be verified using secure boot mechanisms. When an unauthorized change is detected, the device should alert operators to the issue. The issue notification should not connect to wider networks than necessary to deliver the alert.
8. Data protection — IoT device manufacturers and service providers shall provide clear and transparent information about how the organization’s data will be used, by whom, and for what purposes, for all devices and services. This applies to any third parties as well.
9. Deliver resilient operation — IoT services should continue operating even when there is a loss of network connectivity, and they should recover cleanly when power is restored. IoT devices should return to a network operation in a sensible state and in an orderly fashion.
10. Telemetry data — Usage and measurement data should be monitored for security anomalies.
11. Data ownership and deletion — Who owns the collected data? IoT devices may change ownership and may be recycled or disposed of. Mechanisms should be provided that allow the consumers (if they’re covered by GDPR or CCPA regulations) and businesses to remain in control and remove data from services, devices and applications.
12. Easy device installation and maintenance — IoT device installation and maintenance should require few steps and follow security best practices.
13. Data input validation — Data input through user interfaces and transferred by APIs or between networks in services will be validated.

Conclusion

When you select an IoT manufacturer or IoT services, provide a copy of these guidelines to your vendors and providers. Ask them how they respond to the guidelines and if they do not adopt any of the guidelines. Those who do not adopt the guidelines should be considered as not appropriate vendors or providers.