The government has launched a new funding round to support security-by-design in connected internet of things (IoT) products, with a total pot of £400,000 on offer to support industry-led assurance schemes and proposals.
Launched today by digital minister Matt Warman, the funding scheme will seek to further schemes that demonstrate IoT devices have undergone independent testing – such as is currently available through the BSI – or robust and accredited self-assessment. It said such schemes would be vital in enabling consumers to make security-conscious buying decisions when it came to connected products.
“We are committed to making the UK the safest place to be online and are developing laws to make sure robust security standards for consumer internet-connected products are built in from the start,” said Warman. “This new funding will allow shoppers to be sure the products they are buying have better cyber security and help retailers be confident that they are stocking secure smart products.”
Warman added: “People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber criminals.” He cited research that suggests there will be 75 billion internet-connected devices, such as TV sets, cameras, home assistants and associated services, in homes around the world by 2025.
This huge number of – often highly vulnerable and badly designed – products presents an opportunity to cyber criminals that may prove too tempting to pass up, and high-profile incidents occur frequently. They do not always affect cheap, off-brand devices, either – in November 2019, Amazon was in the spotlight after a flaw was found in its Ring Pro connected doorbell devices that left users open to a man-in-the-middle attack.
Meanwhile, the government continues to progress legislation that will bring into law minimum cyber security requirements for smart, connected devices.
Developed alongside the UK’s National Cyber Security Centre, these will be some of the most rigorous IoT laws in the world, and will guarantee, among other things, that device passwords are unique and not resettable to a universal factory setting; that manufacturers have a public point of contact for vulnerability reporting; and that manufacturers state the minimum length of time for which their product will receive updates and security patches.
The legislation is designed to enhance a voluntary Secure by Design code of practice for consumer IoT goods, which the government introduced back in 2018. This code sets a standard for stronger security measures to be designed into IoT products, and is backed by, among others, Centrica Hiva, HP Inc Geo and Panasonic.