IoT regulations: fact or fiction?

Network Security Magazine, March 2019:

New gadgets and, increasingly, connected homes, vehicles and even smart cities open up a whole host of possibilities. Connected devices now control entire homes and offices, including door locks, children’s toys, cameras and medical products. All are available and connected through the Internet, making access very convenient for the user but also for the bad guys.

The Internet of Things (IoT) has a poor cyber reputation. Manufacturers often don’t install appropriate data access safeguards on their products and consumers fail to change default passwords or update the pre-installed software on their network.

This is why the UK Government has introduced a new code of practice for manufacturers of smart devices that connect to the IoT. The code is voluntary, but large manufacturers, including HP and Hive Centrica, have already signed up. However, this will not be enough to truly bring cyber security rules to all devices now available.

Non-binding guidelines are helpful, but unlikely to make substantial changes. Most of the IoT manufacturers are located abroad in developing countries and will continue to focus more on costs than on customers’ privacy or security. Most manufacturers do not even adhere to the bottom line of security, such as strong passwords. We have even tested devices where the master reset does not remove any previous entries, such as Wi-Fi passwords, allowing the next owner of a device to take the Wi-Fi details from the device and use them to hack into the previous owner’s network.

Imagine, the multitude of Wi-Fi kettles being sold on online auction sites, all still holding their former owners’ passwords – very scary!

In California, the state government has made it mandatory for IoT devices to be secure. Under its Security of Connected Devices Bill, weak default passwords are illegal, and all devices must have unique default passwords that automatically for the user to change the password when the user installs them.

Read the full article in Network Security Magazine here on page 20