Mandatory IoT Security in the Offing with U.K. Proposal

The U.K. government has unveiled a proposed law aimed at securing internet of things (IoT) devices, which have historically been riddled with basic security issues.

The drafted law, announced on Monday, comprises three main mandates for IoT manufacturers. First, all consumer IoT device passwords must be unique (and not resettable to universal factory settings). IoT device manufacturers must also provide a public point of contact so that anyone can report a flaw, to be “acted on in a timely manner;” and, manufacturers must also explicitly state the minimum length of time for which devices will receive security updates at the point of sale.

“Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety,” Matt Warman, U.K. Minister for Digital and Broadband, said in a statement. “It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”

The regulation was developed by the Department for Digital, Culture, Media and Sport after an extensive consultation period that kicked off in May 2019, when the U.K. announced it was accepting regulatory proposals for IoT security regulation.

The U.K. government said that it aims to “deliver the legislation as soon as possible.”

Security experts like Ken Munro, partner at Pen Test Partners, applauded the proposed law: “There is clearly broad support for the proposed regulation of consumer smart devices, however without swift legislation this is just another meaningless consultation,” Munro told Threatpost. “The government needs to act now to help protect us from smart device manufacturers who play fast and loose with our privacy, safety and security. I’m supportive of the government’s proposed legislation, so long as it is the first step on a path towards wide-ranging, robust regulation of the internet of things.”

Read More Here

Article Credit: TP