New Regulations in the UK and California Raise Stakes of IoT Security

IoT security has been a trending topic among design engineers and consumers alike for years now. On AAC, we've even discussed some IoT platforms show smart home security isn’t just a software problem.

But recently, government officials have stepped into the conversation by proposing and ratifying laws that will push greater IoT security at the software and hardware level.

What governments are making changes and how will they affect designers?
 

The UK's Three Security Proposals

Several years ago, the UK government warned that they would eventually step in and regulate IoT security. While the Parliament hasn't passed any laws yet, the UK government intends to bring in a new set of IoT regulations for consumer IoT devices to meet a minimum criterion of security, enabling greater safety in these ubiquitous devices.

Here are the three proposals on the table: 

1) IoT devices must have unique passwords and cannot be reset to a factory default setting.

Many devices will have a factory setting that sets the username and password to a default setting. An alarming number of devices use “admin” and “password” as their default setting.

 

Joe Provost, a threat simulation and modeling expert at IBM, demonstrates the issue of default usernames and passwords. Screenshot (modified) used courtesy of IBM

 

What makes this problem worse is that many users do not change these default usernames and passwords, which is why attackers will often try and succeed to access these devices. 

2) IoT builders must provide a point of contact for customers to quickly report security flaws.

This will allow a business to quickly respond to potential threats and provide updates to the company's IoT devices. In effect, this feature allows users to get in contact with a professional who can then protect users from potential attacks.

3) IoT developers need to clearly state how long their IoT products will be supported and how long updates will be provided.

This proposal will ensure that customers are aware of how many years of security they can expect from the IoT device in question and will, therefore, give them an idea of when they need to replace them. Attackers commonly attack older unsupported hardware, which has bugs and flaws since the dropped product no longer offers support (such as Windows 7).

 

California's Two Security Laws

California is another example of a governing body doubling down on regulation, except these regulations are laws, not proposals. 

According to Deborah A. George from the National Law Review, the California IoT law:

• Requires a manufacturer to identify the sensitivity of their device
• Defines what is considered to be a minimum reasonable level of security.

 

IoT camera. Screenshot used courtesy of IBM

 

To determine the sensitivity of a device, a manufacturer must first understand the nature and function of their device and then determine the type of data that is collected by that device. The designer must then consider protection methods for information gathered from unauthorized access, destruction, or disclosure.

The National Law Review also explains that the California IoT law defines a reasonable safety security feature by two criteria:

1) The preprogrammed password is unique to each device manufactured; or

2) The device requires users to generate a new mode of authentication before it grants access for the first time.

This feature prevents default usernames and passwords which, as explained previously, are a popular attack method for cybercriminals when accessing hardware.

 

How Will IoT Regulation Impact Designs?

Typically, security features are implemented on the software side unless a designer is trying to protect intellectual property. However, the regulations proposed in the UK and passed in California will now account for hardware security for several reasons.

The most obvious reasons is that software security can only go so far. According to Caleb Barlow, CEO of cybersecurity consulting firm CynergisTek, "Software security degrades over time."  

And, typically, a processor has no fundamental idea of what code it is executing.

Another reason is that devices built using secure hardware make it easier to develop secure applications. Security at the silicon level can provide a trusted platform—that is, one where malicious code cannot be injected.

A final reason is that secure hardware will most likely make it easier to conform to security laws. Many designers will likely opt for secure hardware as a design default. As a result, semiconductor producers will most likely phase out unsecured devices (those that do not have security circuitry).

 

Arm Corstone is said to allow designers to build a secure IoT SoC. Image used courtesy of Arm

 

There is already a range of SoCs coming to the market that incorporates security features, such as Arm TrustZone, which is quickly becoming a default in Arm-based processors. 

While it's clear that hardware security is an increasingly important part of IoT devices, especially in terms of cyber attacks that target electronic devices, it seems that engineers must continually discuss how to implement this security within circuit board designs.

 

---

 

What are your thoughts on IoT security legislation? Share your response in the comments below.