Not long ago, a new law was issued in the UK to protect consumers from the security risks posed by IoT devices.
According to this, companies must adhere to three requirements. The first is to make sure that every device has a unique password set and allows you to do a normal simple factory password reset. The second is to open a contact point where everyone, not only developers but also consumers, can report bugs. In addition, if a vulnerability is reported, it must be handled in a timely manner. Third, when selling devices, whether they are buying online or in stores, the shortest period of time until security updates are received must be clearly stated.
Digital Secretary Matt Warman says the new law requires companies that manufacture and sell Internet-connected devices to stop it, taking into account the potential for attacks that threaten privacy and safety against hackers. It also means that strong security must be integrated at the design stage and not added later.
According to this data, the UK government predicts that 75 billion IoT devices will be distributed to homes around the world by the end of 2025. It is also said that the three requirements of the UK government were determined in consultation with the cybersecurity center NCSC in May of last year. It can be said that the content of the requirements is not radical but rather basic. Currently, it is pointed out that all companies that guarantee end-to-end encryption do not provide a function to change passwords or provide default passwords to installation programs.
In 2016, a massive DDoS attack infected billions of unsecured IoT devices with malware (Mirai). It can be seen that even in order to reduce this security risk, it is necessary to prepare an IoT device password. It is also important to force manufacturers to start the support period in security updates.
In the United States, the California Senate passed SB-327, an Internet of Things security bill, and is in force on January 1 of this year. This bill requires manufacturers to establish reasonable security functions, such as prohibiting the use of default passwords. However, some experts criticize this as being ambiguous and insufficient. In any case, the UK’s regulatory move for IoT device manufacturers is the least approach that all countries should pursue. Related information can be found here .
Add comment