DCMS

Stepping up action on IoT insecurity – new laws and regulation

David RogersLeave a comment
Minister for Digital and the Creative Industries, Margot James launches the consultation

Time moves quickly in the IoT world. It seems like only five minutes since we launched the Code of Practice on Consumer IoT Security.

The staff in the Secure by Design team at DCMS have been working incredibly hard to move forward on the commitments to explore how to identify to consumers what good looks like when it comes to purchasing a connected product. Alongside this, there have been many discussions on the various different possibilities for regulation.

The Minister for Digital, Margot James has launched a consultation on new laws around the first three items in the Code of Practice – elimination of default passwords, responding to reported vulnerabilities and ensuring that software updates are provided, to a transparent end date for consumers.

The consultation is open until the 5th of June 2019 – views can be emailed to: securebydesign@culture.gov.uk or via post to Department for Digital, Culture, Media and Sport, 4th Floor, 100 Parliament Street, London, SW1A 2BQ.

The consultation states:

“We recognise that security is an important consideration for consumers. A recent survey of 6,482 consumers has shown that when purchasing a new consumer IoT product, ‘security’ is the third most important information category (higher than privacy or design) and among those who didn’t rank ‘security’ as a top-four consideration, 72% said that they expected security to already be built into devices that were already on the market.”

Importantly and one component of what we need to work to solve is this issue:

“It’s clear that there is currently a lack of transparency between what consumers think they are buying and what they are actually buying.”

Identifying products that have been designed with security in mind

As the cartoon below demonstrates – explaining security to consumers is difficult and could confuse and scare people, so a balance needs to be found. What the government is proposing in its consultation is to provide a label that explains some measurable elements about the security design approach of that product.

So how do you go about identifying how secure something is?

The answer is – with great difficulty. Even more so in the modern world, because the security properties of a device and service are not static.

To explain this a bit further – all technology will contain vulnerabilities that are not known about yet. These could be issues that are known types of security vulnerability, but that are buried and haven’t been caught during the design and testing process. When you have thousands, maybe even millions of lines of code, written by multiple people and from different companies, this isn’t unexpected. For every piece of software there will be a certain number of bugs, some of these will be security vulnerabilities and a smaller sub-set of these will be “exploitable” vulnerabilities – i.e. those that an attacker can use to do something useful (from their perspective!) to the system.

So this shows why software updates are critically important – in fact even some of those bugs that are not exploitable could in the future become exploitable, so deploying software updates in a preventative manner is a hygienic practice. It is a form of inoculation, because we all benefit from systems being patched, it reduces the number of systems that will be impacted in the future and therefore reduces the potency of attacks which have a major global impact. This of course is paramount in the internet of things, because everything is connected and the onward impact on peoples’ lives could become safety-impacting in some way. We have moved past the time where systems being disabled or unavailable were an inconvenience.

So what does a label give us? Well at this stage – what we can do is help a consumer make an informed purchasing decision. Answering questions like “how long does this device get security updates for?” is really useful. It also means that those companies that have no interest in providing updates (even though they’re critical to provide) can no longer hide behind anything. It’s there for the buyer to see – if you don’t provide the updates, the consumer is free to choose not to buy your product. Not really good business to ship rubbish anymore is it?

Regulation of the Code of Practice security measures

The intention by the government is to pass the Code of Practice measures into law over time. On the regulatory side of the top three from the Code of Practice, the government has boiled down the consultation to three potential options:


● Option A: Mandate retailers to only sell consumer IoT products that have the IoT security label, with manufacturers to self declare and implement a security label on their consumer IoT products.
● Option B: Mandate retailers to only sell consumer IoT products that adhere to the top three guidelines, with the burden on manufacturers to self declare that their consumer IoT products adhere to the top three guidelines of the Code of Practice for IoT Security and the ETSI TS 103 645.
● Option C: Mandate that retailers only sell consumer IoT products with a label that evidences compliance with all 13 guidelines of the Code of Practice, with manufacturers expected to self declare and to ensure that the label is on the appropriate packaging.

From a personal perspective, I find it fantastic that we’ve reached the point where we can get rid of a lot of the products that are blighting the market with blatant insecurity. Good riddance I say and let’s celebrate the companies that are really paying attention to consumer security.

The security label will be run on a voluntary basis by retailers until regulation comes into force and legislative options are taken forward. The consultation also includes example designs that could be used. Interestingly when DCMS carried out a survey into what types of icons would be best, a padlock option was selected by less than 1% of participants. To me, what this reflects about the state of browser and web security and how we communicate security to users is somewhat depressing, but it serves as a reminder that trust is hard to earn, but easily lost.

This work is just another step down the road for globally improving IoT security. Again, it’s not the be all and end all, but it is a positive step and yet another example that the UK is leading the world by taking action, not just talking about IoT security.

Security change for good in the Internet of Things

mobilephonesecurity936843331Leave a comment

Today marks the launch of the Code of Practice for Consumer IoT Security following a period of public consultation. You can find out more on the Department for Digital, Culture, Media & Sport’s (DCMS) website. The publication also means that the UK is now way ahead of the rest of the world in terms of leadership on improving IoT security and privacy.

As the original and lead author of the Code of Practice, I was really pleased to read the feedback and see that many other people feel the same way about improving the situation globally. I was able to discuss the feedback at length with colleagues from DCMS, the National Cyber Security Centre (NCSC) and other departments to ensure that we were creating a sensible measured set of guidance that took into account the needs and concerns of all stakeholders.

For further details on what the Code of Practice contains and why it exists, have a look at some of my previous blogs on this topic:

A number of other documents are being released today, all of which are well worth a read if you’re interested in this space.

Mapping Recommendations and Standards in the IoT security and privacy space

The thing that my team and I spent the most effort on over the summer period was mapping existing recommendations on IoT security and privacy from around the world against the Code of Practice. This was no mean feat and meant going through thousands of pages of pretty dry text. If you talk to anyone in the industry space, it is a job that everyone knew needed doing but nobody wanted to do it. Well I can say it is done now (thank you Ryan and Mark particularly!), but things like this are the never ending task. While we were working on it, new recommendations were being released and inevitably, just after we’d completed our work others were published. Equally, we ran the risk of mapping the entirety of the technical standards space. For now at least, we’ve stopped short of that and I think we’ve given implementers enough information such that they’ll be able to understand what commonalities there are across different bodies and where to look. I still am sufficiently sane to state that I’ll commit to keeping this updated, but we’ll let the initial dataset be used by companies first. Ultimately I’m hoping this is the tool that will aid defragmentation in the IoT security standards space and again I’ll continue to support this effort.

I’m really pleased that the government agreed with the suggestion that we should make the mappings available as open data. We’ve also created visual mappings just to make things a little more readable. All of this is hosted at https://iotsecuritymapping.uk which is now live.

Mapping recommendations to the UK’s Code of Practice for Consumer IoT Security

Talking about the Code of Practice

I also continued to spend time discussing what we were doing with various security researchers and presented at both B-SidesLV in Las Vegas and at 44con in London. I also spoke to a number of different industry groups to explain what we were doing and what is happening next.

Most IoT products v Skilled hackers

I often used this picture, partly because it is of my cat Pumpkin, partly because it illustrates the reality of most companies that are looking to digitise their products. Their new shiny connected products are on the left protected by not a lot, whilst the skilled attackers sit ready to pounce. The mobile industry has been in a cat and mouse game (stay with me here) with hackers and crackers for around 20 years now. Broadly speaking, the mobile device is a hard target and there are some great engineers working in product security across the mobile industry. Take then the washing machine industry, just as an example. What experience does a company that produces washing machines have in device and internet security? Very little is the answer. Startups are encouraged to ship unfinished products and there is a continued prevailing attitude that companies can get away with doing and spending very little on security. It is no surprise that these products are easily broken and cause consumers significant security and privacy harm, further degrading consumer trust overall in connected products.

No more. Change is here.

Government Reports, IoT Security, Mirai and Regulation

mobilephonesecurity936843331Leave a comment

I saw a misleading report yesterday from a security researcher who said that the UK’s Code of Practice on IoT security couldn’t have prevented something like Mirai. Luckily I had already written something that explains how Mirai would have been prevented: https://www.copperhorse.co.uk/how-the-uks-code-of-practice-on-iot-security-would-have-prevented-mirai

I urge everyone interested to read the Secure by Design report plus the guidance notes within to see where things are going, especially the points about future consideration of regulation; and to understand that the Code of Practice is outcome based, in order to make it easily measurable by say a consumer group, not just engineering people like me. During the development of the report a huge number of people were consulted, including a lot of the security research community who provided invaluable advice and input.

On standards – I believe there is no need for additional standards in this space (that’s not what the Code of Practice is), but there is a need for existing standards from a range of bodies to be mapped against the outcomes. What we actually need is vendors to actually adopt the existing security standards within their products and to help them understand the inter-relation between standards a bit better. Mappings can be used by vendors to achieve the desired outcome of securely designed products that retailers feel confident to sell.

So don’t believe everything the noisy people say for a soundbite on the news – make up your own mind. More importantly the report is open for public feedback until the 25th of April, so make your voices known!

A Code of Practice for Security in Consumer IoT Products and Services

mobilephonesecurity936843331Leave a comment

 

Today is a good day. The UK government has launched its Secure by Design report and it marks a major step forward for the UK for Internet of Things (IoT) security.

Embedded within the report is a draft “Code of Practice for Security in Consumer IoT Products and Associated Services”, which I authored in collaboration with DCMS and with input and feedback from various parties including the ICO and the NCSC.

I have been a passionate advocate of strong product security since I worked at Panasonic and established the product security function in their mobile phone division, through to the mobile recommendations body OMTP where, as the mobile industry we established the basis of hardware security and trust for future devices. We’re certainly winning in the mobile space – devices are significantly harder to breach, despite being under constant attack. This isn’t because of one single thing; it is multiple aspects of security built on the experiences of previous platforms and products. As technologies have matured, we’ve been able to implement things like software updates more easily and to establish what good looks like. Other aspects such as learning how to interact with security researchers or the best architectures for separating computing processes have also been learned over time.

Carrying over product security fundamentals into IoT

This isn’t the case however for IoT products and services. It feels in some cases like we’re stepping back 20 years. Frustratingly for those of us who’ve been through the painful years, the solutions already exist in the mobile device world for many of the problems seen in modern, hacked IoT devices. They just haven’t been implemented in IoT. This also applies to the surrounding ecosystem of applications and services for IoT. Time and again, we’re seeing developer mistakes such as a lack of certificate validation in mobile applications for IoT, which are entirely avoidable.

There is nothing truly ground-breaking within the Code of Practice. It isn’t difficult to implement many of the measures, but what we’re saying is that enough is enough. It is time to start putting houses in order, because we just can’t tolerate bad practice any more. For too long, vendors have been shipping products which are fundamentally insecure because no attention has been paid to security design. We have a choice. We can either have a lowest common denominator approach to security or we can say “this is the bar and you must at least have these basics in place”. In 2018 it just simply isn’t acceptable to have things like default passwords and open ports. This is how stuff like Mirai happens. The guidance addresses those issues and had it been in place, the huge impact of Mirai would simply not have occurred. Now is the time to act before the situation gets worse and people get physically hurt. The prioritisation of the guidance was something we discussed at length. The top three of elimination of the practice of default passwords, providing security researchers with a way to disclose vulnerabilities and keeping software updated were based on the fact that addressing these elements in particular, as a priority, will have a huge beneficial impact on overall cyber security, creating a much more secure environment for consumers.

We’re not alone in saying this. Multiple governments and organisations around the world are concerned about IoT security and are publishing security recommendations to help. This includes the US’s NIST, Europe’s ENISA and organisations such as the GSMA and the IoT Security Foundation. I maintain a living list of IoT security guidance from around the world on this blog.

So in order to make things more secure and ultimately safer (because a lot of IoT is already potentially life-impacting), it’s time to step things up and get better. Many parts of the IoT supply chain are already doing a huge amount on security and for those organisations, they’re likely already meeting the guidance in the code of practice, but it is evident that a large number of products are failing even on the basics.

Insecurity Canaries

Measuring security is always difficult. This is why we decided to create an outcomes-based approach. What we want is the ability for retailers and other parts of the supply chain to be easily able to identify what bad looks like. For some of the basic things like eliminating default passwords or setting up ways for security researchers to contact in the case of vulnerabilities, these can probably be seen as insecurity canaries – if the basics aren’t in place, what about the more complex elements that are more difficult to see or to inspect?

Another reason to focus on outcomes was that we were very keen to avoid stifling creativity when it came to security solutions, so we’ve avoided being prescriptive other than to describe best practice approaches or where bad practices need to be eliminated.

The Future

I am looking forward to developing the work further based on the feedback from the informal consultation on the Code of Practice. I support the various standards and recommendations mapping exercises going on which will fundamentally make compliance a lot easier for companies around the world. I am proud to have worked with such a forward-thinking team on this project and look forward to contributing further in the future.

Additional Resources

I’ve also written about how the Code of Practice would have prevented major attacks on IoT:

Need to know where to go to find out about IoT security recommendations and standards?

Here’s a couple more things I’ve written on the subject of IoT security: