UK Government wants to stamp out insecure smart home kit with labelling scheme

As convenient as the smart home explosion has made our lives, there’s also been an increase in the security risk with many products shipping with insecure settings. The UK Government has had enough and has put forward a new proposal to get companies to label their products to show that a basic level of security has been met.

The move comes following the increase in the number of connected devices that have been hacked. That’s both on an individual level and through wider, targetted malware specifically infecting smart devices, such as the recent variant of Bashlite that targetted Belkin WeMo devices.

The problem is typically two-fold. First, many devices ship with no password or a standard manufacturer one, making it easy for hackers to gain remote control. Secondly, many products don’t receive security updates or only do so for a limited time, making them less secure as time goes on and new flaws are discovered.

Currently under consultation, the government’s plan, launched by Digital Minister Margo James, is to introduce an initial voluntary labelling scheme, which will set out the basics under the ‘Secure by Design’ code of practice:

• IoT device passwords must be unique and not resettable to any universal factory setting
• Manufacturers of IoT products must provide a public point of contact
• Manufacturers have to explicitly state the minimum length of time that security updates will be available through an end of life policy

The labelling scheme will apply to all connected devices, from smart TVs and smart devices to toys and appliances, and already has the support of Amazon, Philips, Panasonic, Samsung, Miele, Yale and Legrand.

Related: Google Home vs Amazon Echo

As part of the consultation, the government is looking at further options including introducing a mandatory labelling scheme that would also see retailers unable to sell any product without the IoT security label.

The news has generally been well received from security companies, many of which have long been warning of the dangers of poorly-secured internet-connected devices.

“We welcome the proposal to require companies marketing smart devices to comply with minimum security standards,” said David Emm, principal security researcher at Kaspersky Lab UK. “Smart versions of products that have never traditionally been connected, such as baby monitors and televisions, have been available to buy for some years now, while remaining vulnerable to cyber-attacks due to the failure of many companies to build in security at the design stage when developing smart devices.”

Related: Which Philips Hue bulbs should I buy?

There are some warnings that the legislation doesn’t go far enough, with claims that products often ship using software components with known vulnerabilities. According to Ilkka Turunen, global director of solutions architecture at Sonatype, the entire software supply chain needs to be certified as secure.

“The tools are available to enable manufacturers to build security into their applications right from the start, meaning failure to do so should amount to gross negligence,” said Turunen. “No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products, so why should the software components in connected devices be any different? Instead, manufacturers should be able to certify that their software, and their devices, are secure at the time of shipping, and should ensure their security updates last for the mandated time.”

From our point of view, this has been a long time coming and companies need to take security far more seriously, ensuring that all products are secure out-of-the-box, while providing updates to maintain security throughout a product’s life.