"Code of conduct"
Doesn't that read like 'thou shalt not break current or future privacy laws"?
Another document, another pointless waste of paper ...
The makers of connected devices will be expected to build in security measures to prevent cyber threats, under a draft "code of conduct" issued by the UK government today. The Security by Design review intends to bake security into devices to protect "individuals' online security, privacy, safety" as well as preventing large- …
The govt only really worry about being able to hack into your secure communications when they might be interesting - email and messaging, location, financial transactions. GCHQ won't worry too much if they can't decipher an instruction that tells your hall light to switch on or off. Until that is, some nasty trrrst network decide to communicate secretly by sending morse code via bedside lights... Upgraded light bulbs could have a small LED display that decodes the morse. (Can I patent that idea as the next WhatsApp?)
otherwise they will simply refer customers to the manufacturer; which is probably somewhere in China that ignore complaints. This will ensure that resellers will sell stuff that causes them least problems, ie kit that it well designed, tested and is well supported, etc. If a manufacturer cannot provide assurance, etc, they won't get sales - simples.
Also product (support) lifetimes should be reasonable. This does not mean 'until the next model is released', but the real lifetime that one expects. So: for a fridge - maybe 20 years, light switch - 50 years.
No, that implies that THAT device has a unique password.
So if you push the "oh poo make everything default button", it should revert its firmware to that unique password stored somewhere as a backup.
Perhaps we could then retain access to that backup with something high tech, like having it printed on the case somewhere out of sight requiring physical access and interaction to view should we loose it?
Also strikes me that install of the backup recovery firmware defaulting to a generic could be acceptable as long as thats not the out of the box firmware applied.
The bit I do not agree with is that all devices should update automatically as a mandatory thing. No, I don't want to give manufacturers carte blanche to push new unwanted features at me and delete functionality they decide was a bit too generous in future. I'm ok if its a feature I can disable deliberately knowing this however.
> Agree it's a problem, but forcing a new password doesn't help.
>
> 1) Hacker forces reset
>
> 2) Hacker chooses new password
>
> 3) Hacker launches DDoS
>
> 4) Owner stuffed.
If the hacker can enforce a reset of my WLAN router I have another problem as the person is now in my apartment. Same goes for other devices that have some hardware reset switch....
But I wish it was.
The guidelines are a good starting point. They stick to approaches and principles rather than being too specific (must use encryption type ABC-123 etc).
Having some form of kitemark to show the device conforms to the standards would help, with a ban on sale in the EU without one.
But: what happens when a manufacturer is, in all good faith, flogging a conformant product, and a hole in the encryption is found and exploited? Do they have to pull any unsold items? Stop production until hole is fixed? Issue a product recall?
Problem 2: the no pw reset thingy. Many of these devices will be plug in and forget. What happens 3 years down the line when a fix needs to be installed, and the piece of paper with the admin password on has long been recycled? No way to reset password? Bin the device or just live it with an unplugged hole?
Surely some of the politicians have phones and IoTat devices? Then surely they must be aware of the rubbish security, lack of updates and short term life or if they don't they will eventually become aware, you know when their home internet bandwidth gets used by a bot net or some other issue. Therefore at some point I would assume they will legislate. Anyway, you can always hope.
The headline reinforces what I said yesterday (and got well downvoted for my pains) when talking abot IoT and all the shit that it can bring on you and your loved ones.
There is at least one other person with the same level of contempt for IoT security etc that I have.
Keep up the good work El Reg. Perhaps one day, the great unwashed (the general public) might get a hint that this IoT stuff is not all it is cracked up to be.
Don't forget that BB will be watching you. No hanky panky on the sofa! Yes you there! I mean you!
"The code states that all passwords on new devices and products are unique and cannot be reset to a factory default"
Not the best solution I'd have thought. A better one is that the out of box state is non-functional and requires a password to be set to become functional. A reset reverts it to out of box state.
I take Pen-y-gors' point about a remote reset by a hacker. The solution there would be that setting the password requires physical access to the device, say press a button on the device and you have a minute to set a password.
Someone places the device where they can't reach it and it gets remotely reset? There problem which is considerably better than being everybody else's.
It also says software should be automatically updated
I don't think so, I've no desire to have the W10 experience replicated elsewhere, perhaps something like this statement would be better.......
Software should be automatically oupdated or the user should have the option to turn off automatic updates and apply them manually for a duration of no less than 7 years from the point of market introduction.
"However, how it plans to police the code [insert latest fad here] remains unclear"
To be honest, this is just another exercise at sounding good and will not actually come to anything. Do they actually have a department within a department that comes up with this nonsense, at taxpayers' expense?
As for "financial penalties", it'll depend which country the vendor is from, so based on the ongoing culture of appeasement to any State with more money/clout than us we won't be collecting a single penny.
/rant
... with a completely toothless, voluntary, and penaltyless "code of conduct".
When will Government understand that Business routinely ignores shit like this unless it suits *them* not to?
Voluntary Code of Conduct = we must be seen to be doing something, when we're in fact just waffling into the headwind.
Press code of conduct anyone? Phonehacking? How many more examples of voluntary codes of conduct failing *epically* do we need before the boneheads in government realise that only enforcible laws will give impetus to real change, because the fines *cost more than the work of compliance*.
Money is the only thing that sharply motivates business to change.
What's a connected device?
On the face of it my laptop is a connected device. Am I to be supplied with a unique password by the manufacturer which I can't then change?
What about something like a Kodi box? I can build one of those with a Raspberry Pi and as everybody but possibly Matt Hancock knows those can be given entirely new OSs simply by swapping the SD card. Is someone taking the Pis?
You can't protect against stupidity. Evolution at its finest.
Create ever more 'idiot proof' stuff, nature just creates better idiots
Take this for example, recently in the news, reflection attacks using Memcached
It clearly states here:
https://github.com/memcached/memcached/wiki/ConfiguringServer#networking
By default memcached listens on TCP and UDP ports, both 11211. -l allows you to bind to specific interfaces or IP addresses. Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users. Using SASL authentication here helps, but should not be totally trusted.
Need I say more?