IoT Kit Providers Face Fines for Poor Security

The British government has introduced legislation that will outlaw weak security in connected devices – the so-called Internet of Things or IoT. Although aimed only at consumer-device suppliers, the new rules strive to prevent cyber attacks on networks and critical national infrastructure, by making it more difficult for attackers to use connected devices to circumvent security measures elsewhere.

The Product Security and Telecommunications Infrastructure Bill was introduced to Parliament on 24 November 24th. Among its key proposals are a ban on products being sold with easy-to-guess default passwords; mandating that companies disclose vulnerabilities in products, once they are discovered; and letting buyers know at the point of purchase how long security updates for the device will be available.

Companies found to be in breach of the new law face fines of either 4% of global annual revenue or £10million (€11.83million), whichever is greater, plus a further £20,000 per day for ongoing failure to address the problem. Companies will be subject to mandatory product recalls, or bans on affected equipment sale and supply, should they fail to meet the bill’s required standards.

The bill will apply to manufacturers, importers and distributors of connected devices. Retailers will be prevented from selling devices that do not comply with the regulations. Although the bill will apply to almost any technology capable of accessing the internet, certain devices are exempt, including vehicles, smart meters and medical equipment. Second-hand devices will also be exempt. The provisions of the bill would begin to apply 12 months after it receives Royal Assent.

These measures have been developed following consultation and the publication of a code of practice for IoT security in 2018, and reflect a European standard published last year. Input has come from industry, academia and the National Cyber Security Centre (NCSC), and the measures adopt the UK government’s preferred position of ‘secure by design.’ Although the technology targeted by the bill includes only those devices classified as a “consumer connectable product,” suppliers of consumer equipment for specialist use will have to comply.

According to figures supplied by the Department for Digital, Culture, Media and Sport (DCMS), there were 1.5 billion attempted compromises of IoT devices in the first half of 2021 – double the figure for 2020. IoT devices often provide easy access to otherwise secure networks. DCMS says only one in five manufacturers presently “embed basic security requirements in consumer connectable products“, and that, on average, there are nine connected devices in every UK household.

The bill “[…] will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security,” said Dr Ian Levy, NCSC’s Technical Director. “The requirements this bill introduces – which were developed jointly by DCMS and the NCSC ,with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.”