You can't stay! UK issues regulations to strengthen the safety of IoT equipment
What you pursue is almost the basic thing.
A new law has been introduced in the UK to protect consumers from the safety risks of IoT devices. Accordingly, manufacturers seem to need to comply with the following three requirements.
One is to make sure that all devices have unique passwords and cannot be reset to universal simple factory passwords.
The second is to open the contact window to the public so that anyone, such as consumers, can report errors, not just developers. In addition, deal with vulnerabilities in a timely manner when vulnerabilities are reported.
Finally, whether you buy online or in a store, you should clearly show the shortest period of time when you receive a security update when the device is sold.
Digital Minister Matt Warman said in a press release:
According to this data, the British government expects that 75 billion IoT devices will be promoted in households around the world by the end of 2025. In addition, these three requirements were determined in consultation with the Center for Network Security (NCSC) and enterprises in May last year.
The content of the request is not extreme, but is considered to be a basic thing. Now, in any company that guarantees end-to-end encryption, there is no ability to change passwords, or default passwords are provided for settings.
Some people may remember that there was a large-scale DDos attack in 2016. It is reported that this is the beginning of Mirai malware infecting billions of unprotected IoT devices. In order to reduce these security risks, it is very important to eliminate ambiguity in the passwords of IoT devices.
In addition, it is also important to force manufacturers to disclose the duration of security update support. Last week, for example, Sonos announced plans to complete the initial product update in May 2020. That is, neither new features nor security patches are available. But consumer protests may have poured in, and a few days later announced their intention to continue to support "as much as possible."
Unlike replacing PC and mobile phones, the Sonos news is worth watching, considering that more consumers will continue to use the speakers in the longer term. The company said it would support the suspension for at least five years, but not many IoT manufacturers disclosed the information. In addition, in many cases, it is not clear what information will happen when the manufacturer goes out of business.
In the United States, the California Senate passed the IoT Security Act "SB-327", which came into effect on January 1 this year. The bill requires manufacturers to develop "reasonable security features", including banning the use of default passwords. However, on this point, some experts have criticized that this is vague and inadequate. On the other hand, it has also been pointed out that the safety standards of IoT CyberSecurity Improvement Act in 2017 are only for government use and do not spread to the private sector. However, regulators recognize that the security risks of IoT may at least be a good thing.
The regulatory measures taken by British IoT equipment manufacturers can be said to be the lowest approach that all countries should take.