The number of IoT products for consumers is growing rapidly. You can use them to adjust your heating or lighting, control access to your home, monitor your baby and keep an eye on your dog when you’re out.
At the moment, buying an IoT product is a bit like getting a tattoo: you want to get one because they’re cool and all your friends have them, but what quality standards are there for the ink used and the artistic level of the artist? In the same way, there are no standards for IoT security – and whatever the superficial attractions of IoT devices, this means there is nothing to reassure you that you won’t get more than you bargained for.
That’s not to say every device out there is a risk, but consumers need to know what they are welcoming into their homes, and understand that any insecure embedded device they connect to the internet is a potential target for attacks. These could range from spying on them and their family, as highlighted in a recent Panorama program, to inserting malware or stealing their data, or even using their equipment to power a DDoS attack.
There are also cases of random accidents due to inadequate backend software. At the moment manufacturers don’t need to provide any guarantees of the safety of their equipment beyond electrical compliance.
The good news is that steps are being taken to regulate this market. In March 2018 the UK government announced a draft code of practice for IoT products in its Secure by Design report, although this remains a work in progress. In June the EU announced that it was creating a cybersecurity certification framework designed to help ensure compliance with specified cybersecurity requirements. However, there is no date for when this will be implemented, and there are caveats.
Certification will be optional unless specified as a legal requirement under an EU law or Member State law, so it may not even apply to products developed or sold in the UK, and for the basic level of certification, manufacturers or service providers will be able to carry out the conformity assessment themselves.
In my view, responsibility needs to fall firmly on manufacturers of IoT products. They need to ensure the safety of the equipment they sell, just as car manufacturers should ensure that their cars are safe. After all, manufacturers are the people who benefit from the IoT, for example when a car tells them (as well as you) that it needs a service.