News Hub

Security labels for IoT devices proposed

Written by Wed 1 May 2019

Under Government proposals, IoT devices could be required to carry a label proving they are secure

Small connected devices could be made to carry labels telling people how secure they are from cyber attacks, under plans announced by the Government.

The labels would be initially introduced on a voluntary basis to help consumers identify which products are secure, before eventually becoming mandatory.

Under the plans, announced by digital minister Margot James, retailers would only be able to sell products that carried the label.

The scheme will form part of a wider Government consultation into improving general cyber security in the UK, launched on Wednesday, with three key requirements in a code of practice for device manufacturers.

The requirements include ensuring passwords on IoT devices are not resettable to a universal factory setting, and ensuring they provide a public point of contact as part of a policy for disclosing any discovered vulnerabilities.

It also calls for device makers to explicitly state the minimum length of time a device will receive security updates.

‘Global leader in online safety’

Ms James said the consultation is the Government’s latest step in its plans to make the UK one of the safest places in the world to be online.

“Many consumer products that are connected to the internet are often found to be insecure, putting consumers’ privacy and security at risk. Our code of practice was the first step towards making sure that products have safety features built in from the design stage and not bolted on as an afterthought,” she said.

“These new proposals will help to improve the safety of internet-connected devices and is another milestone in our bid to be a global leader in online safety.”

Smart home devices, most notably smart speakers, have become increasingly popular in the UK. Research last year found that one in 10 people in the UK owned at least one such device.

Earlier this month, the Government published a white paper on online harms, which proposed a “statutory duty of care” for social media and internet companies, requiring them to take more action to protect users from harmful content, overseen by an independent regulator.

Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC), said the latest step to target connected devices is crucial to reduce failings in the industry.

“Serious security problems in consumer IoT devices, such as preset unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers,” he said.

“This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.”

The Government said it was working with international partners to ensure the guidelines created a consistent approach to the security of connected devices.

Alternative options to the label, including mandating retailers not to sell products which do not meet the top three requirements of the code of practice, will also be a part of the consultation.

Written by Wed 1 May 2019


cyber security internet of things
Send us a correction Send us a news tip