It’s no surprise that IoT has a rough history with security. This has prompted countries to implement rules and regulations around the sale of IoT devices.
The UK is the next region to draft a series of laws that help protect consumers. What do IoT manufacturers need to do to sell their products in the UK?
What Does the Law Cover?
The law is simple; every IoT gadget needs to follow three rules before it can be sold. These rules are aimed at protecting consumers and helping them make better decisions when buying IoT.
1. All IoT Passwords Must Be Unique
One major security flaw in IoT devices is the factory default password. If a gadget has the default username and password set to “admin,” for example, it makes it very easy for hackers to access it. In fact, hackers will take special note of devices with default passwords and look for them specifically.
This new law demands that every IoT device must ship with a unique, randomly-generated password. The password is then printed somewhere, likely on the device itself, so the user can log in.
Also, the device should not have the ability to revert to a standard, universal password at all. This prevents hackers from forcing a device to “remember” a default factory-set password instead of its randomized one.
2. Manufacturers Must Be Easily Contactable
One major headache of securing devices is letting the company know that there’s a flaw in the first place. If a manufacturer is hard to contact, it delays getting a hotfix out to patch the problem. Meanwhile, hackers circulate the issue on forums and cause more damage.
This new law demands that IoT manufacturers must be easy to contact. This allows researchers and users to report problems with the device, which can then be patched and fixed as soon as possible.
3. Manufacturers Must Inform Customers Of The Device’s “Lifespan”
No, we’re not talking about gadgets suddenly dying on people! Companies tend to support a product for only so long, after which they stop developing updates for it. Any flaws found after this cutoff point are left unfixed.
Companies are now required to let consumers know when the cutoff point is. If they didn’t, users may keep “expired” devices connected to the Internet, making them ripe for exploitation.
A Universal Agreement
If these laws sound familiar, it’s because the first two were also proposed by Australia in their draft for an IoT Code of Practice. We can see from this a universal agreement on what IoT devices should have by default, which may soon become a standard across all devices.
Laws of the Land
As IoT security becomes a hot topic in the tech world, countries are figuring out how to properly set laws to protect their consumers. The UK is the latest country to step up, setting some laws that share some traits with their Australian cousins.
Do you think these laws are enough? Or is more work needed? Let us know below.