The Department for Digital, Culture, Media and Sport (DCMS) has just published the report Secure by Design: Improving the cyber security of consumer Internet of Things. As the title suggests, these are the kind of things we all might have in our home - 'smart' light bulbs, thermostats, cameras, speakers, TVs and so on.
The NCSC contributed to this review, along with a number of other experts from government, industry and academia. This blog highlights a few key points and explains the rationale behind some of recommendations the review contains.
The connected life
The number of connected devices in the average home or office is rising fast. Unfortunately, so is the number of incidents caused by common vulnerabilities in these products.
Researchers uncover new security flaws on a regular basis, and sometimes these are as simple as a hard-coded or default password (often one that is commonly-used such as 'admin') that lets anyone access a device. These passwords can be hard or impossible to change, and are often hidden from the user. The much-publicised Mirai malware exploited hard-coded passwords to infect a range of internet-connected cameras and home routers. It’s clear that many of these products are being manufactured at very low cost, and that basic security practices are not being followed.
This is obviously a problem, but to panic and disconnect everything feels like an overreaction. It would mean missing out on the benefits which this new technology can bring such as more efficient energy use, convenient remote controls and automated assistance for many aspects of daily life. We have to improve the security situation, but what exactly should we do?
Often, when vulnerabilities are uncovered in products, the manufacturer will devise a fix, and make that fix available to customers before widespread harm is done. Significant problems occur when either a fix is not made available, or when it's difficult/impossible to provide that fix to existing customers.
Our goal should be to make sure that, if we find problems with devices, they can be fixed. And to ensure that fixes are applied, the process should be as easy as possible for consumers. Ideally, it should happen automatically.
The principled approach
The DCMS report sets out recommendations for improving the security practices of device and component manufacturers, and for reducing the security burden on users. The central proposal of the review is a Code of Practice, which sets out 13 guidelines for secure devices. The first three of these are most likely to have an impact on device security, and they are:
1. No default passwords
All device passwords must be unique. It should not be possible to reset a password to a universal factory default value.
2. Implement a vulnerability disclosure policy
Provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers (and others) are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.
3. Keep software updated
All software components in internet-connected devices should be securely updateable. Updates must be timely and not impact on the functioning of the device. An end-of-life policy must be published for end-point [i.e. consumer] devices which explicitly states, with reasons, the minimum length of time for which it will receive software updates. The need for each update should be made clear to consumers and an update should be easy to implement. For constrained devices that cannot physically be updated (such as sensors), the product should be capable of isolation and be replaceable.
The DCMS report is published as part of a broader conversation about what can be done to improve the security practices of developers, retailers and consumers. Following the eight week informal consultation period, the recommendations will be refined and updated.
The bigger picture
While adherence to these principles will not, of course, close every security vulnerability, it will increase the likelihood of vulnerabilities being reported so that fixes can be found and distributed to customers. It will also provide consumers with an idea of how long a device can be expected to receive updates (a ‘best before’ date for security support, if you like) at the time of purchase.
It's in everyone's interest to reduce the burden on consumers, otherwise we'll all have to become security experts, spending our lives manually applying updates to devices all over our homes and workplaces. At the same time, we must allow developers to innovate, and find new uses for technology.
Competitive pressure encourages companies to work hard on getting to market quickly - security can easily suffer as a result. Our hope is that, by shining some light on products being developed and supported in accordance with the principles at the heart of the Code of Practice, we'll help consumers make better choices.
Tech Director, Platform Security Research