Security news that informs and inspires

UK Government Proposes Secure by Design Guidelines for IoT


The UK government published a Secure by Design report on improving the cybersecurity of consumer Internet of Things (IoT), that is, internet-enabled devices like smart TVs and wearables, urging manufacturers to follow common security guidelines and help protect consumers.

While the growth of IoT markets has created opportunities for UK companies, with the digital sectors contributing £116.5 billion to the overall UK economy in 2016, there is a need to ensure secure practices as the industry grows. And this is a huge market: Gartner forecasts that there may be an estimated 20 billion internet-connected devices worldwide by 2020.

IoT Risks: Threat to Consumers and Global Economy

There is concern about consumer privacy, security, and safety risks associated with IoT, as well as the potential of compromised, networked devices being used to launch large-scale DDoS (distributed denial of service) attacks. There have been a number of examples of this recently, including the Mirai botnet attacks that began in 2016.

How do these attacks happen, and why are they successful? There are several attack vectors that have not been properly addressed by many IoT vendors, manufacturers, and software developers:

  • Common default credentials
  • Poor configuration of devices
  • Manual, or insecure patch/update delivery
  • Vulnerabilities within web or mobile app supporting the IoT product

In the case of Mirai, the malware used a max of 600,000 devices in attacks against cloud computing and internet service/DNS providers, which, in turn, disrupted services worldwide for users accessing Amazon, Netflix, GitHub, Twitter and several other popular websites. While not an actual attempt to “take down the internet,” this incident was reportedly linked to a larger set of attacks against gaming platforms.

According to a research analysis by Cloudflare, Google, Akamai and several universities, the attacks were carried out using small devices like home routers, air-quality monitors and personal surveillance cameras.

New IoT Code of Practice Proposed

The UK government conducted a review to understand the security burden placed on consumers to buy, install, maintain and dispose IoT products, as well as to develop "secure by design" guidelines and to establish incentives and levers to gain traction with the industry.

The review was developed with the help of manufacturers, retailers and the National Cyber Security Centre (NCSC).

While the document acknowledges the guidelines are not a silver bullet, the code is intended to shift security mindsets to invest in a more secure development lifecycle. This new code of practice for IoT manufacturers, IoT service providers, mobile app developers and retailers includes:

  1. No default passwords
  2. Implement a vulnerability disclosure policy
  3. Keep software updated
  4. Secure storage of sensitive data and credentials
  5. Communicate securely
  6. Minimize exposed attack surfaces
  7. Ensure software integrity
  8. Ensure personal data is protected
  9. Make systems resilient to outages
  10. Monitor system telemetry data
  11. Make it easy for consumers to delete personal data
  12. Make device installation and maintenance easy
  13. Validate input data

The government is also looking into providing incentives for the IoT industry to promote security-by-design for vendors, and provide more information about built-in device security for consumers at purchase.

Their strategy includes encouraging companies and developers to build safety features into their products and platforms from the beginning, to ensure connected tech is secure in both the design phase and throughout the lifecycle of a product or service.

The UK government also places importance measuring the effectiveness of security mechanisms - and highlights the difficulty of measuring them in isolation; providing an example of the need to consider the context and full ecosystem of other security measures.

For example, decisions on access permissions for software have to be seen in the context of other security measures that have been put in place, for example multi-factor authentication (MFA) and single sign-on (SSO), and have implications for functionality of the products and services.

This is part of being intentional when building security into a product or application, and understanding how your security products and technology work together, designing them to enhance, not work against, your security posture.