New UK Bill Seeks to Secure Personal IoT Devices

New UK Bill Seeks to Secure Personal IoT Devices

As private ownership of IoT devices continues to expand, protecting those devices – and the networks they connect to – is becoming even more essential. To this end, the British government is seeking to introduce a number of reforms intended to strengthen the security of connected devices in the UK.

A New Law Focussed on Securing IoT Devices

The Product Security and Telecommunications Infrastructure (PTSI) bill seeks to establish a number of simple fixes at the manufacturer level. IoT devices are often designed with inadequate security measures, and this legislation would help to mitigate the risks those insecure devices can introduce. 

“While manufacturers of these devices are improving security practices gradually, it is not yet good enough,” said Ian Levy, technical director of the National Cyber Security Centre. “To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.”

The main provisions proposed in the PSTI include:

  • Banning the use of default passwords: Every IoT device would require its own unique passcode, and must not be resettable to any universal factory setting. 
  • Transparency on firmware updates: At the point of sale, suppliers will be required to inform the purchaser how long their device will be supported with software updates and patches. If there are no plans in place for updates, that too must be disclosed.
  • Clear points of contact: To make it simpler for users to report issues such as bugs, a central point of contact must be made evident.
Westminster, IoT Devices Law, Photo by Oleg Magni

A Good Idea is Worth Copying

In part, the PTSI codifies the Code of Practice for Consumer IoT Security. Introduced in 2018, the Code is a set of guidelines hoping to ensure that devices that process personal data comply with General Data Protection Regulations. Among the suggestions posed in the code were secure credential storage, minimizing access points for bad actors, validating input data via secure APIs.

The guidelines also echo the EU’s recent proposed updates to the Radio Equipment Directive, which seek to establish legal requirements for IoT device manufacturers seeking to operate within the European Union. Covering everything from Smartphones and tablets to fitness trackers and virtual assistants, the proposal would require increased security for network connections, enhanced authentication measures for financial transactions, and stronger defense of personal data.

A Solution For a Modern Issue

Legislators look to institute these changes “as soon as parliamentary time allows,” thanks in part to the increased interest in connected devices in the UK. According to research from Ipsos MORI, nearly half (49%) of UK residents currently own at least one smart device, with a recent Statista report suggesting that UK Homes boast an average of 9 connected devices

With all of those potential entry points, the risk of incursion rises sharply. A recent report from consumer group Which? examined a home filled with IoT devices ranging from TVs to smart security systems. Over the course of a week, they observed more than 12,800 separate scans/hack attempts, with most incursions stemming from weak default usernames.

“Every day, hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft,” said Julia Lopez, Minister for Media, Data and Digital Infrastructure. “Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

Smart Home, Image by Adobe Stock

Securing IoT Devices Made Simple

Fortunately for security-minded IoT developers, connectivity providers like Soracom provide a number of security solutions that should help them maintain their IoT devices. Soracom’s Virtual Private Gateway, for example, allows users to operate their IoT devices over a secure private connection that separates their traffic from the public internet. With VPG, users can also control the IP addresses of an entire fleet of devices, filter or block access, and manage the communication settings between devices.

The solution becomes even more secure when paired with the VPN provided by Soracom Door, or the secure private connection to cloud services like AWS through Soracom Canal. If hardware authentication is a concern, Soracom Endorse utilizes each device’s SIM card to create unique authentication tokens that work across communication networks.

Got a question for Soracom? Whether you’re an existing customer, interested in learning more about our product and services, or want to learn about our Partner program – we’d love to hear from you!