IoT security? We've heard of it, says UK.gov waving new regs

The British government has finally woken up to the relatively lax security of IoT devices, and is lurching forward with legislation to make gadgets connected to the web more secure.

The Department of Digital, Culture, Media and Sport said it will require makers of IoT hardware to ship devices with unique passwords that cannot be reset to a factory default setting.

The regulation will also require these companies to "explicitly state" how long they will continue to support devices when customers purchase the product, and appoint someone – one throat to choke – to act as a point of contact so that punters can more easily report issues.

"Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people's privacy and safety," digital Minister Matt Warman – a former Telegraph hack – said in a statement. "It will mean robust security standards are built in from the design stage and not bolted on as an afterthought."

The regulation is a belated step in the right direction, some in the infosec community told us. "The result of the consultation show strong support for regulation of the wild west that is IoT security," said Ken Munro, a security researcher at infosec firm Pen Test Partners. "Next, the government needs to step up and legislate quickly to protect us from those smart device vendors who don't treat our privacy and security with the respect they should do."

But others, such as Jason Nurse, an assistant professor in cybersecurity at the University of Kent, worry how effective the regulations will be in practice. "If manufacturers require consumers to setup new passwords at product installation, these individuals will need to manage these passwords for each connected device," he told us.

"This could significantly increase the number of passwords the average household has to manage – and there are also questions about what happens when such passwords are forgotten or misplaced."

Smart devices have become a booming part of consumer electronics in recent years. But experts have warned that many devices are vulnerable to hackers and eavesdropping. In December, hackers were able to infiltrate the bedroom of an eight-year-old child via a Ring home security camera installed in her bedroom. The Amazon-owned company unveiled new privacy features at CES earlier this month. ®