Preventing Insecure Connected Products Being Sold

Work on improving security in the Internet of Things (IoT) continues apace! The UK government has reached another milestone in its mission to make the country one of the most secure places to do business and to live in, with the release of proposals for regulating the cyber security of smart products. They are well worth a read and provide a good steer as to what the future of insecure connected products will look like when we collectively say ‘Enough is enough’.

This Call for Views invites feedback until early September 2020 on a range of options as the government moves towards legislation based around the top 3 items in the UK’s Code of Practice for IoT Security:

1) To eliminate the problem of default passwords.
2) To ensure that companies in the IoT space have a way for security researchers to be able to contact them to report vulnerabilities in products.
3) To be transparent to consumers about how long software updates will be available.

These are anchored in the recently approved European standard for IoT security, ETSI EN 303 645 which has the support of industry and governments across the world, marking a significant harmonisation of views on how the problem should be approached.

The Call for Views outlines the aims of the government – to achieve an outcome where there are no products available on the UK market that are non-compliant with the above. In simple terms – you shouldn’t be able to buy a product that has not been designed securely.

This is of course just the start. The items above are fundamental, but there many different types of security that should be built into products, it’s just that some manufacturers of products and services choose not to do that. You wouldn’t allow a food manufacturer to supply to shops if they hadn’t taken basic sanitation measures so why should that be allowed in the smart product space?

Proposed Scope

The scope of products included is broader than IoT products and covers the scope of nearly all the connected products you could find in a home, including laptops and mobile phones. As PCs and mobile phones have been under attack for many years now, the product security in those industries is significantly mature and it really shouldn’t be an issue for those companies to conform to the basics because they’re already doing them.

The core scope is the connected products that everyone has concerns about – children’s toys, cameras, appliances such as fridges or washing machines, safety-relevant products such as connected door locks and so on as well as IoT ‘hubs’.

One area that has been a significant concern for many years is home routers. These rarely get updated and often stay in place in homes for many years without being touched. If they’re compromised, they can create a big issue to users because they’re the point of entry to the home and everything else that is connected, but equally, compromised routers and other equipment at scale can create harm to others across the world by being part of other types of attack.

The proposed scope also covers home workers by including things like printers and office equipment that you might find in both a home or office. This is particularly relevant as businesses have shifted their workforces to home during the Covid-19 crisis.

Things that are out-of-scope are because there is existing or forthcoming regulation in those domains – for example, smart Electric Vehicle (EV) Chargers, Smart Meters and medical devices.

Enforcement

The work laid out in the proposals sets out the obligations on Producers and Distributers, formalising the language that has been used thus far such that it forms the basis of a legislative and regulatory framework governing people who make products but also those that sell them into the UK. It also means that there must be a way to test and declare compliance of these products. This comes at a good time as the EU Cyber Security Act will also require such action to take place across lots of different types of networked products. The proposals also lay out when they expect companies to be compliant – it is proposed that everything must be in place by 9 months following Royal Assent of legislation. The implication is that companies have had long enough and enough warnings that these practices are simply not acceptable.

The list of proposed enforcement actions aligns with other existing ways of removing products from the market – i.e. issuing compliance notices, through to enforcement with real teeth: it is proposed that order breaches are contempt of court which carries a maximum penalty of a fine and two years’ imprisonment. Forfeiture and destruction of products are also on the table as well as financial penalties – the fine amounts are to be determined but a note states that other regulations consider fines of up to 4% of annual worldwide turnover (a clear reference to the EU data protection regulation GDPR). This alone shows that the intent is for the regulation to have real teeth and that the government means business. The ‘Avengers’ team of superheroes working on this project at DCMS and NCSC have done a fantastic job once again, supported by lots of other government departments. Especially now as well – ‘Quiet Batpeople’ is certainly not the right term, but these individuals have all also been volunteering to deal with various aspects of the Covid-19 response, so to deliver this work as well is a huge achievement!

Mapping the Global Direction and Understanding of IoT Security

Understanding where everyone stands on this from a technical perspective is a tough job. I am lucky to have a fantastic team who have been working on doing just that. We have continually been monitoring the progress of IoT security recommendations and standardisation and will continue to do so. Our work can be seen at https://iotsecuritymapping.uk. We recently added recommendations from Australia, Singapore, California’s new law on connected device security and the US National Institute of Standards and Technology (NIST)’s Device Cybersecurity Capability Core Baseline. There are more documents being mapped soon and we’re tracking work from Brazil, to India, to proposed legislation in the US State of Oregon.

We have noticed that there is defragmentation of ideas and recommendations happening across the world as there is a greater collective understanding of the problem domain and how to solve it. The mappings that we have recently created show strong alignment against the top 3 items listed above. We have also observed that whilst some countries are slightly less mature than the UK in tackling the issue, they can benefit from the international standardisation that has taken place and are starting to adopt and endorse this already. Truly we can adopt a global stance that it is unacceptable to provide connected products without even considering the basics of product security.

The Call for Views is open until the 6th of September 2020 and anyone can give feedback on the proposals to DCMS at: securebydesign@dcms.co.uk.

Here’s some more background material if you’re interested in further reading:

Legislating for Security in Consumer IoT

Copper Horse CEO, David Rogers discusses today’s UK government announcement on legislation for consumer IoT security.

Today marks another step along the road for IoT security – the teeth of legislation and regulation to deal with companies that do not implement security in their consumer IoT products. It is likely that the UK will become the first country in the world to legislate on IoT security.

In May 2019, the UK government launched a consultation into regulation for the security of consumer IoT. The consultation is now complete, with 49 responses and a decision to move ahead with legislating for the top 3 items from the Code of Practice for Consumer IoT Security and ETSI TS 103 645 (pdf). Work is ongoing to bring the ETSI TS to a full European Standard or EN – the draft EN is currently out for review (pdf) until the end of February with National Standards Organisations.

For everyone, the time to act is now

From a personal perspective, I really think this is a huge step. Over the past couple of years I’ve been privileged to work with a fantastic team at DCMS and the NCSC who have been really motivated to help people and understand the problem space. The consumer support for legislation is there and we know that security can be implemented by manufacturers because some companies are already doing it and the security technology is available to be used. We already knew what good looked like – we just wrote it down and prioritised it. What we’ve seen is support from a number of countries and organisations and a recognition that acting now to address the fundamental security concerns is the right way forward.

We also know to a certain extent what the real situation is like in the market. In 2018, we conducted research on behalf of the IoT Security Foundation which showed that fewer than 10% of the manufacturers we surveyed had any way for a security researcher to contact them. The results of our follow-up survey are out this quarter and will reflect a broadly similar situation. Security by design is a concept that some companies choose to ignore because they think that they can get away with it or it doesn’t matter. Well, if you want to ship products to the UK in the future, you had better get your act together pretty quickly.

Considerations

One of the things that I think we need to be aware of is the danger of penalising ‘good’ manufacturers, rather than the rogue ones. I’ve seen this before with work I’ve done against counterfeit and so-called ‘sub-standard’ electronic products. Some measures that are proposed against counterfeit only increase the cost for the ones who will abide by the rules anyway, while the rogue ones get away with continuing to do nothing. In this case, I think we have the balance right. The measures being put forward are a foundational baseline, these are things that are really fundamental, but if not implemented can cause huge consumer harm. Default passwords in consumer devices in this day and age are well, pretty stupid when there are better, safer alternatives for enrolling users to devices and for initiating products from factory defaults. What we’re also asking for is transparency:

  • in access – for security researchers who want to report vulnerabilities to manufacturers easily and;
  • about the minimum length of time that devices will get security updates.

Both of these areas will serve to demonstrate a responsible, public commitment by manufacturers to addressing and resolving discovered security issues. Primarily, manufacturers should be honest towards consumers.

Last year when we created our mapping website, https://iotsecuritymapping.uk , we set out to both help manufacturers to understand how the UK’s Code of Practice mapped to the existing body of work and guidance on IoT security and privacy but also to provide some reassurance that what we were saying was not unusual – in fact, there was a broad consensus on what we were recommending, the fragmentation was really just in the semantics of how documentation from across the world was written. We made that available as open data precisely to help in the process of defragmentation and facilitation of common understanding. The decision by DCMS to translate the Code of Practice into multiple languages reduced the barrier to entry and understanding and acknowledged the truly global nature of both the electronics and software supply chain as well as the designers, security experts and security researchers across the world.

Next steps

The next few months are going to be hard work. My own anxiety is that there will also always be edge cases – those points at which adjustments need to be made or possibly where we haven’t considered certain use cases. I’m certain that the team working on it are conscientious and will work to understand manufacturer concerns and the feedback from the public consultation. Ultimately in all of this, we have had a choice – sit on our hands and wait for things to get worse or get on do something and make the world a safer place. We chose action over procrastination.

More reading on this topic:

How the UK’s Code of Practice on IoT security would have prevented Mirai

 

The UK’s report on Secure by Design was released today after a significant amount of work from some of the best minds in government, academia and industry. This is one of the first major steps in the world by a government towards eliminating some of the bad practices that have plagued connected devices and services for many years.

 

 

 

Copper Horse’s CEO, David Rogers was the author of the UK’s Code of Practice for Security in Consumer IoT and services as part of its report on Secure by Design, in collaboration with DCMS, the NCSC, industry and academia. Here, David discusses how one of the major attacks on IoT, a botnet called Mirai, would have been prevented and its successors neutralised.

 

Security of devices and services is never just about one single measure. By building strength-in-depth, an attacker will find it extremely difficult to execute a successful, persistent attack that can affect millions of IoT devices.

 

Taking the infamous IoT botnet Mirai as an example, the Code of Practice provides multiple layers of protection against this attack, including the following:

 

1. Elimination of default passwords (guideline number 1) – Mirai used a list of 61 known default username and password combinations, encompassing millions of devices. Had these passwords been unique Mirai could not have worked.
2. Software updates (guideline number 3) – Many of the Mirai devices either were out-of-date with their patching or simply couldn’t be patched at all. This means that the spread of Mirai could not easily be halted. Had software patching been in place, devices could both be immunised and fixed. Most importantly, regular patching also protects against future variants of attack that exploit other vulnerabilities, neutralising their effect.
3. By following guideline number 6 in the Code of Practice on “Minimising exposed attack surfaces”, vendors would have prevented Mirai because the port it used to attack the devices would have been closed and therefore inaccessible. This is a good demonstration of the principle of “secure by design”.
4. Ensuring software integrity (guideline number 7) would have prevented arbitrary, remote code execution and support preventing things like authentication bypass issues. With no access to run code even if Mirai could have accessed a device, it couldn’t have done anything.
5. Designing a system to be resilient to outages (guideline number 9) means that if it is the victim of an attack like Mirai, key services will continue to operate, severely limiting the effect of the attack until it is dealt with.
6. Having a vulnerability disclosure policy (guideline number 2) allows these types of issues to be reported to vendors by security researchers and then subsequently addressed, prior to malicious exploitation. We want to ensure that vendors get the information about vulnerabilities from the good guys first.

 

You can see that design measures, if implemented can create the foundations that will reduce exposure to such attacks, allow pre-emptive protection for products once an attack is out in the wild and allow a response to an attack that is ongoing, whilst keeping users secure.

 

Security is a very difficult subject and there is no panacea to the security of devices, given that you are almost always dealing with an active adversary (sometimes clever automation in the form of AI and machine learning). This is why like many, I believe that the topic of security is more art than science.

 

In approaching this piece of work, we never set out to achieve a remedy for all ills because it simply isn’t possible. What we did do was take a long hard look at what the real problems are and what solutions need to be in place. Industry has already come a long way; a lot of vendors and service providers are doing a huge amount to make things more secure. Just look at the work of GSMA’s IoT guidelines which is now being adopted across the world, or the work of the IoT Security Foundation, or any of the following.

 

There are still a lot of vendors and startups who need a guiding hand or who wilfully ignore security for various reasons. This includes mobile applications controlling IoT devices which are often over-permissioned or which don’t implement internet encryption correctly. We looked at measurable outcomes. How would a retailer be able to check whether something was insecure? What things are easily testable by a consumer group? If someone tries to put something into a major retail outlet that is insecure, could it be caught before it was sold? In the future, would an organisation like Trading Standards be able to identify insecure devices easily? My own view is that we should be able to flush out the bad stuff from the system whilst encouraging innovation and enabling businesses to make IoT that is secure, privacy respecting and convenient for users.

 

Additional thoughts are on David’s blog: A Code of Practice for Security in Consumer IoT Products and Services