UK Publishes Proposed Regulation for IoT Device Security

The United Kingdom's Department for Digital, Culture, Media and Sport is consulting on regulatory proposals regarding consumer Internet of Things ("IoT") security. The regulatory proposals envisage the introduction of a new IoT security label.

The United Kingdom's Department for Digital, Culture, Media and Sport is consulting on regulatory proposals regarding consumer Internet of Things ("IoT") security.

Consumer IoT products (also known as ‘smart’ or ‘internet connected’ products) are products that are connected to the internet and/or home network and associated services. Such products include connected children’s toys and baby monitors, connected smoke detectors, connected door locks, smart cameras, smart TVs, wearable health trackers, smart home assistants, connected appliances (such as washing machines, ovens and fridges) as well as connected home automation and alarm systems. The proposals seek to better protect consumers’ privacy and online security which can be put at risk by day to day devices. Often, vulnerable devices become the weakest point in an individual’s network and can undermine a user’s privacy and personal safety.

The regulatory proposals envisage the introduction of a new IoT security label that will evidence connected devices conforming with the top three security requirements set out in the voluntary Code of Practice for Consumer Internet of Things Security ("Code of Practice") published by the United Kingdom in October 2018. According to the proposal, the security label would initially be run on a voluntary basis until further regulation comes into force and the government makes a decision on which measures are required to take forward following the industry's feedback. Following this initial stage, the government is considering mandating retailers to only sell consumer IoT products with the IoT security label.

The top three security requirements set out in the Code of Practice are that:

1. All IoT device passwords shall be unique and shall not be resettable to any universal factory default value;
2. The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues; and
3. Manufacturers will explicitly state the minimum length of time for which the product will receive security updates.

What is clear from the UK government's consultation is that the government will introduce regulations on the sale of consumer IoT devices, and that while the requirements may initially be light, additional rules are likely to follow.