Is the UK government’s new IoT cybersecurity bill fit for purpose? – TechCrunch

Internet of things ((((IoT) Devices — Basically the following electronics: Fitness tracker Smart light bulbs that connect to the Internet are now a part of most people’s daily lives.

However, cybersecurity is still a problem, Kaspersky, It’s just getting worse. According to antivirus providers, there were 1.5 billion IoT device breaches in the first six months of 2021, nearly doubling from 629 million in 2021 as a whole. This is mainly because security has long been considered.Manufacturers of generally cheap devices that continue to be inferred or shipped by default password Unsafe third-party components.

To improve the security credentials of consumer IoT devices, the UK government this week Product Security and Telecommunications Infrastructure Bill (PST) Parliament is a law that requires IoT manufacturers, importers, and distributors to meet certain cybersecurity standards.

The bill outlines three key areas of minimum security standards. The first is the prohibition of universal default passwords such as “password” and “admin”. These passwords are often preset in the device’s factory settings and are easy to guess. The second requires the manufacturer to provide public contact information so that anyone can easily report a security vulnerability. And third, IoT manufacturers need to keep their customers up-to-date about the minimum amount of time a product will receive significant security updates.

This new cybersecurity regime is overseen and taxed by regulatory agencies that have not yet been designated. GDPR-Style Penalty; Non-PSTI Compliant Companies Can Be Fined £ 10 Million, or 4% of Annual Revenue, Up to £ 20,000 Per Day If Violations Continue You may be fined.

At first glance, the PSTI bill sounds like a step in the right direction. In particular, the ban on default passwords has been widely praised by the cybersecurity industry as a means of “common sense.”

“Basic cyber hygiene, such as changing the default password, can greatly help improve the security of these types of devices,” YesWeHack Managing Director Rodolphe Harand told TechCrunch. .. “This basically provides an additional layer of protection because the manufacturer needs to provide a new unique password.”

However, others have stated that countermeasures, especially banning passwords that are easy to guess, have not been fully considered and could create new opportunities for threat actors to exploit them.

“It’s commendable to stop the default password, but if each device has a private password, who is responsible for managing it?” Said Matt Middleton-Leal, Managing Director of Qualys. .. “It’s common for end users to forget their password. How can a specialist access it if the device needs repair? This is where the manufacturer provides a superuser account or backdoor access. It’s a dangerous area that you may have to do. “

Middleton-Leal, along with other companies in the industry, is also concerned about the mandatory product vulnerability disclosure of the PSTI bill. While wise in principle, there is no bill that needs to be fixed before a bug is disclosed so that security researchers can personally contact the manufacturer to warn and fix defects and bugs.

“If anything, this increases the risk when the vulnerability becomes publicly known. Malicious attackers have a danger signal to focus their efforts on finding a way to exploit it. “Because,” Middleton-Reel added.

John Goodacre, director of Digital Security by Design at UKRI, agrees that the mission is flawed and tells TechCrunch: In today’s world, you can continue to apply patches after these vulnerabilities are discovered. If the wound may have already occurred, apply a bandage to the wound. Further initiative is needed for techniques to prevent such scratches from occurring at a fundamental level. “

The third important area outlined in the bill detailing how long a device receives security updates could also encourage manufacturers to discount prices and encourage consumers to buy the device as it reaches the end of its life. It has been criticized for fear of being there. It will soon be without security support.

Some believe that the British government is not acting fast enough. The bill does not consider vehicles connected to the Internet, smart meters, medical devices, desktops or laptop computers, thus giving IoT manufacturers a change in working practices for 12 months. This means that many will continue to mass produce cheap devices that may not comply with the most basic security standards next year.

“Manufacturers are likely to continue to see speed to market as a priority over device security, and we believe this is a key consideration for maintaining profits,” said senior cyber threat intelligence. Analyst Kim Bromley said. Digital shadow, Tell TechCrunch.

Bromley also believes that the UK will have a hard time enforcing these regulations for manufacturers based in Mainland China (PRC). “Some China-based manufacturers are releasing cheaper products than others on the market, so will users continue to buy products that may contain security flaws? , At least not in compliance with English law, “Bromley said. “The new requirements also place a heavy burden on UK resellers who may use products manufactured in China on their own. It can be difficult to meet the requirements and change working practices. “

However, cybersecurity experts are universal that the UK government needs to be flexible in its approach to IoT security and not fall into the general trap of looking only at the past and present. They seem to agree, but the solution is still unknown. , Instead of the future.

“Both attackers and, sadly, malicious manufacturers and vendors, are endlessly creative,” said Amanda Finch, CEO of the Chartered Information Security Institute (CIISec). “There will inevitably be new means of attack to circumvent the bill’s demands and new vulnerabilities created by lazy manufacturers. Therefore, the bill is not an end in itself, but a review and improvement. It must be seen as one step in an infinite process. “

Is the UK government’s new IoT cybersecurity bill fit for purpose? – TechCrunch Source link Is the UK government’s new IoT cybersecurity bill fit for purpose? – TechCrunch

Related Articles

Back to top button