back to article IoT security? We've heard of it, says UK.gov waving new regs

The British government has finally woken up to the relatively lax security of IoT devices, and is lurching forward with legislation to make gadgets connected to the web more secure. The Department of Digital, Culture, Media and Sport said it will require makers of IoT hardware to ship devices with unique passwords that cannot …

  1. Pascal Monett Silver badge

    "It will mean robust security standards"

    Do those robust standards include proper, non-backdoored encryption ?

    It's going to be interesting to see if the political discussion continues along the usual think-of-the-children types, or if it goes to what security, and the user, actually need.

    1. Claptrap314 Silver badge

      Re: "It will mean robust security standards"

      How about, "Think of the children's privacy?"

      I do think this one is usable. We've already got enough horror stories out there that a competent politician can ride this issue.

    2. 0laf
      Big Brother

      Re: "It will mean robust security standards"

      You mean 'Good Guy' security. It's not a backdoor, it's a superhero entrance for the 'Good guys' to come ina nd check your data to make sure you are safe and compliant with the rules set out by your budding totalitarian state

  2. Antonius_Prime
    Devil

    "IoT security? We've heard of it, says UK.gov"

    Doing better than the IoshiT vendors at least!

  3. Headley_Grange Silver badge

    VAT

    They can't even collect the VAT that's due on stuff bought online, so how are they going to enforce this?

    1. Rich 11 Silver badge

      Re: VAT

      Well obviously the Eton prefects are able to get the first-years to fag for them. Isn't that enough?

  4. steelpillow Silver badge
    Trollface

    "how long they will continue to support devices when customers purchase the product"

    "We guarantee to support your product for its full lifetime. This guarantee is subject to our standard terms and conditions.

    ...

    "Terms and conditions of supply

    ...

    "27 (b) iii: We reserve the right to terminate without notice any product deemed to be unsafe, unsupportable or in breach of current standards, and any support associated with the product. This may reduce the lifetime of the product."

  5. Doctor Syntax Silver badge

    The UK market is so huge in world terms that this is going to have a huge effect on IoT design. Or maybe not.

    1. Fonant
      Facepalm

      New legislation

      Indeed, EU-wide legislation might be more useful, and practical, and enforceable.

      Oh, wait...

      1. Muscleguy Silver badge

        Re: New legislation

        Dinnae fash yersel. After we make ourselves Independent* we can spend our evenings seeing how you Sassanachs are getting on by logging into your IOT devices while ours from within the strong EU regulatory framework will be impervious (once in my case I find an instance of IOT both useful and necessary, haven’t seen one yet).

        *We may have to replace the SNP though, Sturgeon seems far to welded to the ‘gold plated standard’ of Section 30 order. Forgetting that once we are independent the method of getting there will be unimportant.

        Personally I think ScotGov should make credible moves towards preparing for a UDI. We should NEVER rule out that we might go there if pushed hard enough and it should concentrate minds in Westminster/Whitehall.

        We already control the Polis, making them a unitary force was necessary to forestall area commanders going rogue. We just need to square the, few, remaining troops. A mutiny defenestrating any non Scottish officers should do the trick. Then we have police and army so we’re independent and recognised.

        Not that No10 will try and use the army against us. Those Scottish squaddies cannae be trusted laddie, Welsh and Irish ditto. So Gurkhas and English it will have to be looking like an invasion force.

        The UK doesn’t have paramilitary police like the Guardia Civil or Gendarmes to call on. Non Scottish police need express permission to operate in Scotland under Scots law so sending coppers won’t work. If you send troops those quartered in Edinburgh Castle barracks might sally out to repel them and we wouldn’t want that, would we?

        1. Michael
          Angel

          Re: New legislation

          Ah, if only the muppets in the SNP weren't so set to get rid of trident they'd even have a nuclear capability. Of course as the can't mange a country as small as Scotland, the orders will undoubtedly be confused to state invade Edinburgh and replace with the English officers.

        2. Puuru

          Re: New legislation

          Oh dear oh dear oh deary me, our friends north of the Border are forgetting a few salient facts.

          First off, whose king was it smacked England and Scotland together? Oh, that's right, Scotland's King James VI. Second, whose parliament was it that about 100 years later voted to cease to exist, vacate Edinburgh and take its MPs off to Westminster instead? Oh, that's right, Scotland's. So Scottish Independence really is a misnomer - how about English independence?

          Then, let's suppose Scotland does secede from the UK and apply to (re-)join the EU. There's just one fly in that particular ointment: Catalonia. Now, the whole Commonwealth, and probably the Yanks too, knows that Scotland is a country, not a province. What's the betting Spain doesn't understand that? They'll view a newly "idependent" Scotland applying to join the EU as a renegade province, and they'll veto the application for fear of the Catalans getting over-excited.

          One last thing: once upon a time there were two kingdoms in a foggy island, neither of which amounted to much on the world stage. Then the king of the smaller one inherited the larger one and smacked the two together. By a couple of hundred or so years later their united front was more or less ruling the world, or at least making huge waves. The whole really is greater than the sum of the parts. Methinks splitting up would be quite the act of folly.

  6. Anonymous Coward
    Anonymous Coward

    One big mistake

    " that cannot be reset to a factory default setting"

    This will render most if not all used equipment scrap. Not to mention people forget a password and can't hold the reset button. Lots of equipment will see a very early grave. I've had to reset my router more than once over the years. No luck with that :/ in the future.

    Future is looking more Mad Max than Star Trek.

    1. Rich 11 Silver badge

      Re: One big mistake

      Future is looking more Mad Max than Star Trek.

      I, for one, fully expect to replace my right hand with Charlize Theron.

    2. Brian Miller

      Re: One big mistake

      "Future is looking more Mad Max than Star Trek."

      "I AM THE HUMONGOUS!!!" -- big fat guy with megaphone

      It's not easy in a company that gives a **** about security to keep things on track, let alone a company that just wants to get a brick of **** out the door. Laws only provide a penalty phase, not actual prevention of someone doing something wrong. Putting product security into the realm of product liability for damages would be an incentive to improve.

      That said, when I went to BlackHat I saw a live demo of them walking through a firewall due to one IPv6 port exposed, zipping onto a HSM and grabbing all of the secrets due to bugs in the PKCS11 implementation, and many other acts of tripping the light fantastic with a wire hooked to a Claymore. It is not easy doing security, and product testing can't be conducted by someone who doesn't care about digging into the product.

      1. Doctor Syntax Silver badge

        Re: One big mistake

        "Laws only provide a penalty phase, not actual prevention of someone doing something wrong. Putting product security into the realm of product liability for damages would be an incentive to improve."

        Liability for damages would still be law, just civil rather than legal.

        The legislation is only the means which enables the penalty which is the deterrent (or incentive to improve if you prefer).

        I'm not sure that targeting a distant manufacturer is the best way to go about it. Make it an offence to offer the stuff for sale, that's more likely to make at least some vendors amenable. OTOH the only effect would be to make stuff available in the UK only through Trotters Independent Trading. There's no chance of manufacturers producing a new, improved line for the UK market. This is the sort of thing that could be done effectively via the EU where the market size would be more worth-while. How good of the MoF to underline why leaving is a mistake before we've even done it.

    3. veti Silver badge

      Re: One big mistake

      To handle that - let us reset the password once we have plugged something in to a USB port on the IoThing itself. If we have local, physical access, assume we're authorised (to wipe all data on it).

      Would be more meaningful, I think, to restrict the data that vendors are allowed to collect, and what they're allowed to use it for.

  7. Doctor Syntax Silver badge

    "This could significantly increase the number of passwords the average household has to manage – and there are also questions about what happens when such passwords are forgotten or misplaced."

    He says that like it's a bad thing. Hasn't he heard that re-use of passwords is a big problem?

    There's a bit of a damned if you do, damned if you don't situation here. An alternative, which would deal with the lost password, is to be able to reset the device to a state where the user has to set a password before it becomes operational. This would ensure that an operational device doesn't have a well-known password but it does facilitate setting a weak password or the re-use of passwords. Alternatively have the device generate and display a new, random password on a factory reset. Any reset-and-cahnge system, however, needs to be protected against a remote reset.

  8. Doctor Syntax Silver badge

    The statement on the MoF website also says "We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology."

    That's the kiss of death. They always say something like that when they've no idea how to do it.

  9. Anonymous Coward
    Anonymous Coward

    Unique passwords

    Password1

    Password2

    Password3

    .......

    Password23455

  10. This post has been deleted by its author

  11. ThatOne Silver badge
    Devil

    British law vs. far-eastern manufacturers?

    I'm sure those huge Chinese assembly factories would shake in their boots - if only they had a chance to hear about that law.

    And of course it is very easy to implement, the only downside being the expensive airplane tickets for the British cops supposed to apprehend any wrongdoers...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022