Blog post

Fixing all the things

Created:  06 Mar 2018
Updated:  06 Mar 2018
Author:  Paul W
Part of:  Vulnerabilities
Internet of things

The Department for Digital, Culture, Media and Sport (DCMS) has just published the report Secure by Design: Improving the cyber security of consumer Internet of Things. As the title suggests, these are the kind of things we all might have in our home - 'smart' light bulbs, thermostats, cameras, speakers, TVs and so on. 

The NCSC contributed to this review, along with a number of other experts from government, industry and academia. This blog highlights a few key points and explains the rationale behind some of recommendations the review contains.


The connected life

The number of connected devices in the average home or office is rising fast. Unfortunately, so is the number of incidents caused by common vulnerabilities in these products.

Researchers uncover new security flaws on a regular basis, and sometimes these are as simple as a hard-coded or default password (often one that is commonly-used such as 'admin') that lets anyone access a device. These passwords can be hard or impossible to change, and are often hidden from the user. The much-publicised Mirai malware exploited hard-coded passwords to infect a range of internet-connected cameras and home routers. It’s clear that many of these products are being manufactured at very low cost, and that basic security practices are not being followed.

This is obviously a problem, but to panic and disconnect everything feels like an overreaction. It would mean missing out on the benefits which this new technology can bring such as more efficient energy use, convenient remote controls and automated assistance for many aspects of daily life. We have to improve the security situation, but what exactly should we do? 



Often, when vulnerabilities are uncovered in products, the manufacturer will devise a fix, and make that fix available to customers before widespread harm is done. Significant problems occur when either a fix is not made available, or when it's difficult/impossible to provide that fix to existing customers.

Our goal should be to make sure that, if we find problems with devices, they can be fixed. And to ensure that fixes are applied, the process should be as easy as possible for consumers. Ideally, it should happen automatically.


The principled approach

The DCMS report sets out recommendations for improving the security practices of device and component manufacturers, and for reducing the security burden on users. The central proposal of the review is a Code of Practice, which sets out 13 guidelines for secure devices. The first three of these are most likely to have an impact on device security, and they are:


1. No default passwords 

All device passwords must be unique. It should not be possible to reset a password to a universal factory default value.


2. Implement a vulnerability disclosure policy

Provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers (and others) are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.


3. Keep software updated

All software components in internet-connected devices should be securely updateable. Updates must be timely and not impact on the functioning of the device. An end-of-life policy must be published for end-point [i.e. consumer] devices which explicitly states, with reasons, the minimum length of time for which it will receive software updates. The need for each update should be made clear to consumers and an update should be easy to implement. For constrained devices that cannot physically be updated (such as sensors), the product should be capable of isolation and be replaceable.

The DCMS report is published as part of a broader conversation about what can be done to improve the security practices of developers, retailers and consumers. Following the eight week informal consultation period, the recommendations will be refined and updated.


The bigger picture

While adherence to these principles will not, of course, close every security vulnerability, it will increase the likelihood of vulnerabilities being reported so that fixes can be found and distributed to customers. It will also provide consumers with an idea of how long a device can be expected to receive updates (a ‘best before’ date for security support, if you like) at the time of purchase.

It's in everyone's interest to reduce the burden on consumers, otherwise we'll all have to become security experts, spending our lives manually applying updates to devices all over our homes and workplaces. At the same time, we must allow developers to innovate, and find new uses for technology.

Competitive pressure encourages companies to work hard on getting to market quickly - security can easily suffer as a result. Our hope is that, by shining some light on products being developed and supported in accordance with the principles at the heart of the Code of Practice, we'll help consumers make better choices.


Paul W

Tech Director, Platform Security Research


Will Pearson - 07 Mar 2018
Hi Paul,

Thanks for the a useful blog post, I agree it is a pressing problem and becoming more important as we connect more things to the internet. The pdf talks about regulation coming out in this area. Rather than compulsory regulation, perhaps an optional symbol people can earn to put on their products (like the BSI kitemark) so that consumers have some knowledge of how seriously the providers take security, could be attempted to start with.

I was also wondering if Ncsc or any other government body is researching, investigating or promoting securer models of computation to help fix some of the long term problems with computing. I'm thinking of things like the and beyond.

I'm a part time researcher in such models and I'm interested in collaboration.

Paul W - 13 Mar 2018
Thanks for commenting; along with DCMS and other partners we will consider a range of options for labelling.

The NCSC conducts research into security technology, and also supports academic work in UK universities. In particular is interested in hardware security, and is working on some projects relevant to secure computing. It’s early days as ‘RISE’ is new, but watch out for more details as the research develops.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No