UK seeks to secure smart home gadgets
- Published
Makers of smart home devices are to be encouraged to make their gadgets secure against hack attacks.
The UK has published a voluntary code of practice, external for manufacturers that shows how they can proof their creations against common attacks.
It aims to stop gadgets being hijacked and used to mount cyber-attacks - and stamp out designs that let cyber-thieves steal data.
Two companies, HP and Hive Centrica, have already agreed to follow the code.
Forward steps
The government initiative is aimed at makers of small smart gadgets for the home, such as web-connected doorbells, cameras, toys and burglar alarms - the so-called internet of things (IoT).
An increasing number of cyber-attacks exploit poor security on these gadgets.
The detailed code was drawn up by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre. It includes 13 separate steps manufacturers can take to produce more secure products.
The steps include:
securely storing customer data
regularly updating software
requiring users to choose stronger passwords
making it easier for users to delete data and re-set a device
setting up a vulnerability disclosure policy
"Cyber-crime has become an industry and IoT 'endpoint' devices increasingly constitute the front line of cyber-security," said George Brasher, HP UK managing director.
Computer security expert Ken Munro, external, who has exposed shortcomings in many IoT products, welcomed the code as a "big step forward".
Mr Munro contrasted it with recently introduced Californian regulations that put legal security requirements on manufacturers. The Californian code comes into force in 2020.
The UK's approach was more detailed and addressed more of the supply chain involved in the production of smart gadgets, he said.
However, Mr Munro said he still had a "wish list" of steps the UK could take to ensure gadgets were as safe as possible.
Consumers should be able to return unsafe gadgets easily, he said, and retailers should commit not to sell any device found to be vulnerable to attack.
The government should also draft laws that required companies to tighten up IoT security, he said.
"It would also be reasonable to let the DCMS guidance 'bed in' with manufacturers," Mr Munro said.
"If they don't start to change behaviour, then that would be the time for regulation."
- Published5 October 2018
- Published13 December 2017
- Published9 August 2018
- Published9 July 2018