After receiving phenomenal positive feedback at our previous live cyber exercising workshops in Edinburgh and Aberdeen, the Scottish Business Resilience Centre organised another Exercise in…
With the popularity of smart products on the rise with projected exponential growth, the UK government is looking to create a legal framework of how best to secure the citizens of the UK from common cyber-attacks associated with these devices.
The government has recently set out a new Product Security and Telecommunications Infrastructure Bill (PSTI) with the aim to protect customers from security vulnerabilities stemming from Internet of Things (IoT) devices.
Security Vulnerabilities in IoT devices
Currently “1 in 5 manufacturers embed basic security requirements” when it comes to IoT products (1). Smart devices have the capability to contain personal data, in whatever form, and this combined with poor security implementation is a goldmine to attract cyber-criminals.
This has been well documented via videos published on-line which expose footage of hacked personal security cameras to baby monitors. Due to the highly personal use of these devices, demonstrates the necessity for strong security requirements and highlights the risk involved in not having any.
Carjacking is also a product of poor IoT security posture. With software being integrated with vehicles, any flaws in the implementation of software introduce the risk that vulnerabilities can be exploited and facilitate access, and allow control over components such as radios, vents and locks as demonstrated by security researchers. Car manufactures are stepping up to these security flaws by implementing patches in their software and informing customers to update their systems frequently (2).
Ring, the Amazon owned company, which manufactures connected doorbell and home monitoring systems, was hacked through “weak, recycled and default credentials” and the compromised systems allowed hackers to access lives feeds in the customers home and “even able to communicate remotely using the devices integrated microphones and speakers”. It is a stark reminder to not use the same username and password on any device (3).
From baby devices to cars and everything in between, IoT devices have become commonplace in most people’s home. The average household has nine IoT devices (1). Over 26 billion IoT devices were active in 2020, with projections of 75 billion devices by 2025, this is an appealing and lucrative target for malicious hackers, which is why it is an area that unquestionably needs regulation (3).
To highlight the extent of IoT security problems, there were 639 million breaches of IoT devices in 2020, which has doubled to 1.5 billion breaches in the first half of 2021 (4).
The multitude of examples of security flaws indicates a serious lack of security focus from the makers of these devices. By having default passwords is low hanging fruit for even unskilled hackers to compromise devices and further their attacks. The convenience that IoT devices offer to consumers has been a growth factor in this industry, but consumers are not aware of the security vulnerabilities associated with these products, especially when produced from reputable companies. Due to the mounting risks to the UK consumers this created the need for legal regulation of this market.
Product Security and Telecommunications Infrastructure Bill
The PSTI legislation would enhance the protection of consumers phones, tablets, fitness trackers, smart TVs, and any other connectible device, from future cyber-attacks by implementing heavy fines for companies that do not comply with new security measures, with the potential of devices being banned in the UK.
The government proposes to ban manufactures from setting universal default passwords, which is an easy and common attack vector for malicious hackers. Default passwords have its benefits to the consumer; however, it makes life extremely easy for malicious hackers to gain access, which flies under the radar of most people. By eliminating this option upgrades everyone’s security.
Most IoT devices are not securely configured from wherever they are manufactured from and are not regularly patched or secured. This creates the potential for many vulnerabilities to be exploited and the PSTI aims to minimise the impact of this.
The bill will ‘place duties on the manufacturers, importers and distributors that must be complied with in relation to these products’ and if these standards are not met the fines go up to £10m, or 4% of global revenues, with fines up to £20,000 per day for persistent ongoing breaches (1).
A Safer Cyber Future
SBRC and the National Cyber Security Centre (NCSC) both adhere to the ethos about striving to make the UK the safest place in the world to live and work online. This new legislation is a positive step forward in helping the country move towards strong security being the standard and leaving less people exposed to security vulnerabilities they could have otherwise been more susceptible towards.
For More Information on the PSTI bill:
1. The product-security-and-telecommunications-infrastructure-psti-bill-factsheets. gov.uk. [Online] 24 11 2021. [Cited: 29 11 2021.] https://www.gov.uk/government/collections/the-product-security-and-telecommunications-infrastructure-psti-bill-factsheets.
2. 5 infamous IoT hacks. IoT For All. [Online] [Cited: 29 11 2021.] https://www.iotforall.com/infamous-iot-hacks.
3. IoT security breaches real world examples. Conosco. [Online] [Cited: 29 11 2021.] https://www.conosco.com/blog/iot-security-breaches-4-real-world-examples/.
4. UK IoT Cybersecurity Bill. Tech Crunch. [Online] [Cited: 29 11 2021.] https://techcrunch.com/2021/12/04/uk-internet-of-things-cybersecurity-bill/?guce_referrer=aHR0cHM6Ly9kdWNrZHVja2dvLmNvbS8&guce_referrer_sig=AQAAAN6kra7o7px9fdl2VwgJFbfBJsRWGgvbxXfy3RX3g_7oOv7nV5PaYY1CU0KV7S6wsaehKXsRxEFgnwBnjvvmLjlWyecQzVtXlUbL0Tb6OZ6F8ou.