The impact of IoT security for consumer devices
By Sarb Sembhi
On 27th January 2020 the Government laid a Bill before Parliament on Consumer IoT Security, which is to become law later this year. Given the impact of the COVID-19 virus, we are not sure of the exact timing yet. Why is this important, and what impact will it really have on the security of products? To answer this, I’ll go back in time to describe how incredibly bad things have been.
My bad security experiences of commercial IoT
My introduction into physical security technology was around 2004-2005 when I looked into the vulnerabilities of the new network CCTV systems technology. I was not only surprised at the vast number of vulnerabilities, but at how when questioned, manufacturers responded by telling me that they leave security to the network level. I persisted in speaking to vendors asking them the same questions: “What security do they implement into their devices and systems?” The response was always the same, until one manufacturer responded with: “We have three levels of security.” Hold on, let’s rewind. Three levels of Security?
“What are they” I asked.
“Well we have Super-Admin level, Admin level and ordinary user level”.
“That’s interesting, so whether I were an attacker with no hacking tools and were trying to guess a password and it took me two or more years, or one with automated tools where it took me a few minutes, you would still not be any wiser?”
“I didn’t think of that,” was his response.
But that was it, it wasn’t just him, it was all manufacturers I came across. They just hadn’t thought about it.
- Are manufacturers better now?
I’d like to say that it is different now, but that would be unfair to the ones that actually care. The ones who really care about security in their products to protect their customer’s security are still far and few between – but it is growing. One of the first bits of good news that helped change this was the introduction of GDPR – it caused a lot of talk, even though there was, and still is, a lot of misunderstanding about it. It did, however, raise awareness that you have to take data and security more seriously than just ignoring it. The next big bit of good news was the EU and UK working on a Code of Practice for Consumer IoT products, which is due to become law in both the UK and EU. It basically took the top three items in the Code of Practice and has made them mandatory for consumer products. The three items are, no default passwords, vulnerability disclosure and security updates.
I’ll pick up on two of the many key talking points about this upcoming legislation.
Key talking point 1: “UK manufacturers will be hurt!”
“If it’s left to consumers; they’ll just opt to buy cheaper Chinese products.” When I first heard this several thoughts came to mind. Firstly, the assumption that building these three low level controls were going to raise the price of products high enough to a point that they are priced out of consumers’ minds. Related to this is that at the moment Chinese and non-Chinese products all cost the same. Even if they are different now, how much more will three low level controls cost to implement that it is an immediate and foremost concern? Yes, I understand that any functionality is price sensitive to a manufacturer and they only put in functionality that has to be included to keep costs down, but to think that per item this functionality would raise the price significantly to price it out of the market forever seems over the top. I believe the reality can be compared to the fact that all the bigger stores did not go out of business when the ‘pound shops’ started sprouting out everywhere. In our local town there used to be four of those pound shops, now there is only one. Some of the big supermarkets responded by having their own sections with low cost items, others responded in different ways. For me the important questions are: How much extra would it cost per unit to add in these three low level controls? How much of a difference in price will that make current products from the much cheaper ones from countries where they don’t have to implement these controls? Finally, how quickly and cheaply can the foreign suppliers start to add in these three security controls?
Don’t buy into the fearmongering
My belief is that this fear that consumers will opt for cheaper, ‘unsecure’ products in large numbers is a bit of a red herring, especially if – and I believe the UK and EU intend to – the public is educated that when they purchase consumer IoT products they should make sure that these three features are included for their own security. However, let’s say I’m wrong and consumers in large numbers do move to insecure, cheaper imports. My next question would be: “how long will this happen for?” I would suggest not very long, because foreign manufacturers will pick up on the Government education on these controls, and they will add them into their products too. Because the one thing that many cheap manufacturers are very good at is copying functionality that seems to be of value to consumers. So, it won’t be long before those suppliers start to include these seemingly ‘expensive’ security controls into their products.
Interestingly, I was speaking to an American, based in China, at the IoT Security Foundation Annual Conference last year, and he said that the Chinese security standards for IoT have been ahead of the rest of the world for years. This doesn’t necessarily mean that this security always filters down into the products themselves, but many Chinese manufacturers are well aware of security issues, as well as how to implement them, and will probably be able to implement them trivially when the time comes.
Cheaper products will never go away – it’s a customer choice
The other thing to remember is that there has always been and always will be cheaper products. That will never change, that is not where UK and European manufacturers try to compete, and nor should they. UK and European manufacturers have always competed on quality engineering and safety, and that is where the focus should be. Cyber security researchers will continue to point out the security issues in popular products. Just look at the concerns surrounding Zoom in recent weeks – the challenge in the online conferencing market is that there are a limited number of options on the one hand and that the pressures are not only getting Zoom to change its security and privacy, but others are also questioning their own too.
So for manufacturers in the UK and Europe the worst thing that could happen is that their revenue takes a slight dip for a short period – if they do nothing to educate the market on how they want to protect their customers and the new features they are putting in do achieve that.
Key talking point 2: “Only consumer products?”
When I have highlighted this upcoming legislation to others, some have raised concerns that it only applied to consumer IoT products, so it won’t really change anything.
True enough, but there are reasons for this approach.
Firstly, consumers don’t have any knowledge of security, or any technical knowledge to understand what they should buy other than functionality they have been told is important. Most commercial buyers have at least got resources to help select secure products to protect their investment – should they wish to use them. Secondly, and logically when this becomes law, how many commercial buyers are going to accept buying less secure commercial products, which they pay more for, when consumers are getting more secure ones? I really would like to see which organisations are going to opt to not get the same level of security in their products as those aimed at consumers. Thirdly, moving on to manufacturers, how many UK and European manufacturers are going to seriously only include the three security controls just in consumer products and not into commercial ones. That would just be commercial suicide. If the work has been done to implement the controls in consumer products, it isn’t going to cost much more to ensure that it can be engineered into commercial ones. If competitors are not doing it, it becomes a competitive feature.
The start of IoT security
I am very pleased about the IoT Code of Practice and the upcoming legislation and believe it will make a big difference – it’s been a long time coming. But it is only the start, not the end. There are several UK organisations that are preparing to help manufacturers to work on achieving these controls, such as the IoT Security Foundation, which I am Co Vice-chair alongside my colleague, James Willison.