Legislating IoT Devices, One Part of IoT Security Jigsaw

By Andy Norton, European Cyber Risk Officer

The UK government recently announced that it is forging ahead with plans to legislate IoT devices and, crucially, it is bringing smartphone devices into this purview. The Department of Digital, Media and Sport (DCMS) cited figures that show nearly half (49%) of UK residents have purchased at least one smart device since the beginning of the pandemic. These new requirements build upon the original Code of Practice for IoT device manufacturers, first set
out in 2018.

They will require suppliers to inform customers at the point of purchase how long products will receive security updates and patches for software. This is important as on average, one-third of consumers keep their devices for at least four years, however, patches and updates are often stopped by manufacturers after a two-year period. The law will also ban device makers from selling their products with universal or easily guessable default passwords, as well as set out clear instructions to the public on how to report vulnerabilities.

Of course, legislation pushing secure-by-design principles across a wider set of devices like doorbells, wearables, mobile phones, cameras, etc, can only be a good thing. It will surely raise the bar against the potential for attack from a wide variety of threat actors; for instance, we know advanced threat actors have invested in attack tools, such as Fronton, that target IoT devices.

However, IoT is playing catch up with other sectors such as ICS which has the IEC62443 standard that a encompasses secure by design principles into both the overall system and the individual components. However, there is an argument to be made that legislation, on its own, is only part of the picture.

Smartphones are additionally a challenge, not just because of supportability during the lifecycle, but because they are used by people like, say, Dave. Dave doesn’t install updates on his phone anyway because they ruin his battery life. Dave also randomly installs apps on his phone from any store or market; Dave´s PIN number is 2580 – which is also his burglar alarm code. So, you see, expanding legislation to support secure by design principles is a great addition to the security jigsaw, but it is only a piece of the overall picture. And there are many Daves in this world. Education will naturally play a part in combating this, but again, it is incredibly difficult to change people’s behaviors.

When it comes to IoT security, this is a big challenge. Therefore, no matter what laws are enforced at the manufacturing level, enterprises will constantly battle with user behavior and not being able to protect what they can’t see.

Armis helps organizations see every device and make risk assessments based on device behavior and prevent rogue devices from moving laterally across the network. In fact, by recently partnering with Eseye, devices on any cellular network can be secured with no additional hardware or agents to install.

For more information and to see a full demonstration of Armis, please visit www.armis.com/demo.