The scale of vulnerability of IoT was recently highlighted by Trend Micro, which found flaws in two of the most popular IoT protocols with hundreds of thousands of exposed public-facing IPs uncovered by the study. Additionally, recent researchby Databarracks found that 57 per cent of organisations are concerned about the security of IoT.
The government has been proactive in addressing IoT security risks publishing the Secure by Design report in March of 2018 and introducing a Code of Practice for consumer IoT security. Peter Groucutt, managing director of Databarracks, argues that while the introduction of a Code of Practice is a positive step, it is not enough to sufficiently address the issue of IoT security:
“The content, guidelines and recommendations in the Code of Practice are excellent. It addresses the most fundamental cyber security practices in order of criticality and importance. But the scheme doesn’t prohibit non-compliance. We should take inspiration from countries such as the US and Thailand in seeking to make these requirements legally enforceable.
“Expert estimates vary in total quantity, but agree we’re now seeing sharp, hockey-stick growth in the number of connected devices. A lack of diligence and care now will lead to trouble later.
“Our lack of regulation means we see instances as serious as insecure children’s smartwatches. The Code of Practice will be adhered to by the diligent parties in the IoT supply chain, but it won’t prevent less committed companies favouring profit over security and pushing insecure products to market. The same company that produced these smartwatches was also found to be making insecure video baby monitors earlier this year.”
Groucutt continues, “We often talk about digitalisation and digital transformation in business. From banking to healthcare, more of our lives are digital and online. There is a real difference between the relationship we used to have with technology and the world of IoT. As users, we were more involved with our desktop computer, installing antivirus software and making decisions about how we use it. With IoT devices, we are far less involved, we have less control over settings and we have many more devices to manage. Changes must be made to make the makers of these devices more responsible.
“The Code of Practice is currently only for consumer devices such as health trackers, smart home assistants and children’s toys and monitors. We recommend extending this reach.
“IoT devices aren’t just found in the consumer world. They are used on corporate networks which are only as strong as their weakest links. For example, earlier this year it was revealed that a casino was hacked via a thermometer in a fish tank. We advocate making the Code legally enforceable which is thankfully something the government is already considering and is an approach supported by several cyber experts.
“There is the argument that government interference might limit the UK’s ability to compete with other less regulated markets. But device security is now so fundamental that better regulation could be a competitive advantage and differentiation point for our manufacturers, service providers, developers and retailers.” concludes Groucutt.