Is a sticky label the answer to the IoT’s security problems?

If the security of Internet of Things (IoT) devices is one of tech’s big worries, how might this be turned around?

In the UK, the Government just published new details of its surprising and unfashionable answer – a sticky label.

Called ‘Secure by Design’ since first being mooted in 2018, this won’t simply be a nice to have sticker. In time it could become a legal requirement to display it on anything sold with IoT features, such as internet TVs, home security cameras, IoT toys, and home appliances.

Right now, the legal bit remains an aspiration subject to further consultation, but legislation appears to be on the cards at some point, perhaps by next year.

Rather than get mired in complicated security concepts, Secure by Design cleverly zeros in on three fundamental problems that bedevil IoT devices and device security in general.

“IoT device passwords must be unique and not resettable to any universal factory setting.”

The industry has been getting better at avoiding this pitfall in recent years (witness the way broadband routers now ship with unique admin and Wi-Fi passwords) but a lot of mass-market IoT gadgets still ignore this simple principle.

“Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.”

A simple and radical suggestion – if you make something there should be a way for researchers to tell you that something’s broken in it that needs fixing. There’s plenty of anecdotal evidence that some mass-market manufacturers at least, are completely oblivious to this concept.

“Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.”

This is where things become uncomfortable for device makers. The first two above require a change of culture but wouldn’t cost much to implement. This one, however, could be a sticking point.

Big brands such as Google, Apple and Microsoft already offer a clear indication on the life expectancy of their products, but they are the exception rather than the rule. For most product makers, the idea of a defined life expectancy with a legally binding update schedule to maintain is anathema, because it adds ongoing costs that play havoc with their investment model.

Notice that Secure by Design doesn’t, as it stands, tell makers how long this should be, simply that they should be upfront about their intentions.

Good luck to anyone who can figure out a sure-fire way of putting that into practice. The danger is that device makers come up with clever ways to downplay its importance or hide the information in small print.

A waste of time then?

The idea of government imposing national security standards on equipment is still alien to an industry built on easy investment, time-to-market, and barely any regulation beyond that required for electrical safety.

And yet security standards that get their timing right have a habit of becoming de facto, a good example being the way stringent cybersecurity regulations in tiny Singapore have influenced compliance standards far beyond its borders.

Once a higher standard has been set, larger manufacturers with economies of scale often buckle down and treat it is a useful guide. The fact that the UK Government says it has taken input on Secure by Design from Amazon, Philips, Panasonic, Samsung, Miele, Yale and Legrand is encouraging.

Let’s see whether Secure by Design’s code of practice gets watered down or ends up being optional. But cynics shouldn’t assume it will.

Some will argue that had governments laid out stringent security regulations in advance of IoT being invented, investors would have shied away from investing.

Then again, had that happened there would also be no IoT security problem to worry about. To borrow an old adage: if you think security is expensive try living in a world that doesn’t have any.