New figures published by the UK government show that almost half (49%) of UK residents have purchased at least one new smart device since the beginning of COVID-19. As a result, manufacturers of smart devices such as phones, speakers, and doorbells will need to provide customers with information about how long they will be guaranteed to receive crucial security updates. Everyday devices such as these (or smart watches, TVs, cameras, etc.) have many positive benefits, yet they are extremely prone to being targeted by threat actors. Therefore, this groundbreaking plan is aimed at protecting individuals and companies from cyber attacks.
It’s important to remember that your network is only as strong as your most vulnerable device. According to Andy Norton, European Cyber risk officer at Armis, this new legislation “will raise the bar against the potential for attack, from a wide variety of threat actors, especially as we know advanced threat actors have invested in attack tools such as Fronton, that target IoT devices.” He also believes that “Smartphones are additionally a challenge, not just because of supportability during the lifecycle, but because they are used by people like, Dave. Dave doesn’t install updates anyway because they ruin his battery life. Dave also randomly installs apps on his phone from any store or market, Dave´s PIN number is 2580, which is also his burglar alarm code. Expanding legislation to support secure by design principles is a great addition to the security jigsaw, but, it is only a piece of the overall picture.”
Only 4 years ago, attackers managed to steal data from a North American casino using an internet-connected fish tank. More worryingly, other groups have succeeded in taking advantage of poor security features to access people’s webcams.
In an attempt to counter this persistent threat of cyberattacks, the UK government plans to make virtually all smart device manufacturers meet certain requirements:
- Customers must be informed of the duration of time for which a smart device will receive security software updates
- Banning the use of universal default passwords, such as ‘password’ or ‘admin’, that are easily guessable
- Manufacturers must provide a public point of contact to make it simpler for users to report vulnerabilities
There remains an urgent need for education and awareness on access control and secure configurations for IoT devices, including cameras. IoT device manufacturers should deploy IoT devices with the highest security and privacy configuration possible so that it would be the end-users who are then making a conscious decision themselves to alter and change device settings. User-guide manuals should also outline associated threats and vulnerabilities for making these changes.”