The Department for Digital, Culture, Media & Sport of the UK Government has published a policy paper on the development and sale of Internet of Things (IoT) devices from a security perspective, dubbed “Secure by Design.”
“We want everyone to benefit from the huge potential of internet-connected devices and it is important they are safe and have a positive impact on people’s lives,” says Minister for Digital and the Creative Industries Margot James of the report. “We have worked alongside industry to develop a tough new set of rules so strong security measures are built into everyday technology from the moment it is developed. This will help ensure that we have the right rules and frameworks in place to protect individuals and that the UK continues to be a world-leading, innovation-friendly digital economy.”
The paper’s recommendations include, but are not limited to, the requirements that: all passwords on new devices and products are unique and not resettable to a factory default, such as “admin”; companies have a vulnerability policy and public point of contact so security researchers and others can report issues immediately and they are quickly acted upon; sensitive data which is transmitted over applications or products is encrypted; software is automatically updated and there is clear guidance on updates to customers; it is easy for consumers to delete personal data on devices and products; and that installation and maintenance of devices is easy. A product labelling scheme is also proposed, which would highlight the security features of a given device or service at the point of sale.
The full 37-page report is available on the government’s official website.
Gareth Halfacree is a technology journalist and technical author best known for his work on the Raspberry Pi User Guide and an upcoming book covering the BBC’s micro:bit project. A keen open source advocate and RISC-V fan, Gareth is responsible for curating our fortnightly community round-up posts.