back to article dangles £400k over makers of IoT Things: Go on, let's see how you'd make a security cert scheme

British companies have been offered access to a £400k pot of cash to design a UK-specific "kitemark" assurance scheme for Internet of Things products. The government grant scheme is intended to complement previous announcements, making it a legal requirement that IoT devices ship with unique, non-default passwords and for …

  1. andy 103

    Educate consumers

    In a sector where consumers overwhelmingly assume that devices are secure because they are for sale, these assurance schemes are vital in enabling consumers to make security-conscious purchasing decisions.

    How about you educate consumers that this isn't the case?

    The irony hasn't been lost on me when it comes to people buying smart home tech to make their house "more secure", whilst simultaneously introducing a new set of security problems.

    1. IGotOut Silver badge

      Re: Educate consumers

      Have you ACTUALLY tried educating people about shiney items?

      But...but...but Alexa can tell me what time it is, or the weather outside.

      And I NEED to unlock my front door with my phone..Yes I am having that battle with a friend at the moment. It like the amp goes to 11 conversation.

      "What happens if you're phone goes dead or you have no service"

      "I can still use a key"

      "Why not just use the key?"

      "I always have my phone, so I don't want to carry two things"

      Face palm...

      1. A random security guy

        Re: Educate consumers

        By that you mean not only consumers but the developers in the Bay Area who are actually building these devices right? You mention security and they say they don't have the time, ship the products without a security assessment and even hide their schedules and software from the security team.

        If that is the attitude, how can you blame the common man?

    2. jake Silver badge

      Re: Educate consumers

      "How about you educate consumers"

      How do you educate the ineducable?

      When I was younger I thought I could change the world. Now that I've been teaching on and off for about 40 years, I've come to the realization that probably nine out of ten humans are ineducable beyond "eat here, sleep there, bathe occasionally & don't poop in the living room". The concept of security is completely outside the scope of their abilities.

      Before you say I am wrong, be prepared to demonstrate your assertion.

      1. Christopher Reeve's Horse

        Re: Educate consumers

        And which university do you teach at?

        1. jake Silver badge

          Re: Educate consumers

          I have taught at most of the Universities and Junior Colleges (and a few of the high schools) in the San Francisco Bay Area. I have never been a full-time teacher.

  2. Warm Braw Silver badge

    "industry-led" assurance schemes

    How about a consumer-led assurance scheme instead? Otherwise it will simply be the case that the slickness of the brand deceives the eye.

    1. Chris G

      Re: "industry-led" assurance schemes

      Industry led, definitely means a better deal for industry while being made to look good for consumers.

      Great examples of industry led would be the health and safety research led by the asbestos industry and the health impact research led by the tobacco industry.

  3. Anonymous Coward
    Anonymous Coward

    Oh dear!

    Increasing security of IoT stuff is all well and good...

    However, I foresee a lot of issues with Certificate Expiry and [cough][cough] planned obsolescence of IoT tat resulting from this.

    All a maker needs to do to bork their device is to stop updating certificates. Win-win for them and more useless tat going into landfill.

    I hope that this does not happen but somehow, the temptation to bork 1-2 year old kit might get too much for manufacturers who need to show ever increasing sales to satisfy the Wall St shorters.

    1. Christopher Reeve's Horse

      Re: Oh dear!

      If I had to bin something due to forced early borkage that entire brand would get blacklisted.

  4. BenDwire Silver badge

    Typical government project

    Of course this problem exists, and something needs to be done - Think of the children! But it's typical of the UK government** to spaff loads of cash looking for a solution which will be half-baked at best, or completely useless. The end result is that the politicians are seen to have done something, taxpayers will be worse off, and the world carries on as before.

    For other examples, see the NHSX contact tracing app.

    **Probably not limited to the UK

    1. Doctor Syntax Silver badge

      Re: Typical government project

      Something must be done. This is something therefore it must be done. The politician's syllogism.

  5. IGotOut Silver badge

    My simple request for Kitemark.

    Should the company no longer wish to support the device, it should be possible to

    A) move to another supplier

    B) Continue to use the device in local network.


    Home cameras, still be able to record to local NAS drive. Home audio, be able to stream from another provider or home network.

    1. A random security guy

      Re: My simple request for Kitemark.

      You assume that a customer knows what to do. Assume I sell you a million webcams with a guarantee for security updates for 10 years. After 3 years I decide to shut shop and retire. You installed these devices at YOUR customer's premises (a grocery chain?) and you also made a ton of money and retire.

      The grocery chain knows how to move vegetables. They have no IT skills.

      Old Joe installed the webcam at his home but he got run over by a truck. His widow is now getting scammed by people watching her ...

  6. jake Silver badge

    Separating fools from their money.

    "Internet of Things devices are, as Reg readers know, broadly speaking, smart gadgets."

    For holistic values of "smart" ... and much the same results.

  7. Pascal Monett Silver badge

    They had a great idea, then shot it in the foot

    "The Ministry of Fun* declared that it wants a multitude of "industry-led" assurance schemes rather than just one"

    No. You let the industry create a certification scheme if you want, but you don't go and have many of them, otherwise the customer isn't going to know which one is good and which one isn't.

    This is daft. You finally get around to mandating a security scheme, which is a bona fide Good Thing (TM), then you completely undermine the system by allowing many different schemes. That is only going to create confusion and give rise to miscreants that will take advantage of the system.

    Bad government. No cookie.

    1. Chris G

      Re: They had a great idea, then shot it in the foot

      What they need is an equivalent of the British Board of Agrément that sets the standards and provide certificates for construction materials that conform to the required standards to meet building regulations.

      In this case, a general set of regulations need to be identified (that are sufficiently malleable to adjust to new technology and requirements) that covers the majority of use cases so far and those that appear to be possible within the near future.

      Then they can think about constructing a certification board with members drawn from industry, consumer groups and government and while they are about it give the board some regulatory teeth and make vested interest lobbying a crime.

      Alternatively, ban all IoT.

  8. Christopher Reeve's Horse

    What about our networks?

    Given the proliferation of IOT tat, its going to be nearly impossible to ensure they’re all constantly updated. On the other hand, why is it nearly impossible for a layman to set up a locked down separate home network where devices can be isolated from each other and or the rest of the network/internet?

    1. A random security guy

      Re: What about our networks?

      Because we never designed our systems to be designed that way. It is a design problem, not a user error.

      1. Christopher Reeve's Horse

        Re: What about our networks?

        Yes, that’s what I’m trying to suggest. It should be two things: device security and protected networks. But until your standard ISP supplied router is designed to operate simply in such a way, no one is going to stand a chance.

        1. SImon Hobson

          Re: What about our networks?

          You are correct, but I can't see that changing any time - at all, not just soon.

          ISPs don't care - as long as the router they ship to you "free" is a) cheap to them, and b) allows you to reach WhatsTwitFaceBorge then they are OK.

          As to segregated networks, there are some real practical problems there. As it happens, SWMBO just got an Echo Dot - no I didn't buy it, I don't want it in the house, but SWMBO says otherwise and one of our daughters got it for her birthday present. I setup another SSID to connect it to with client segregation turned on - but then I also need to put SWMBO's phone onto a specific IP address and configure the network to allow the phone and the Dot to talk to each other. I'd use VLANs as well but none of my switches are VLAN capable and I'm not keen to spend on that right now - but if I did then that would complicate things even more as there'd be no ability for the config program to find the devices it needs to configure (usually based on being in the same broadcast domain). Of course, VLANs on a wired network would mean that you can't just randomly plug any cable into any socket where it fits - yes, that's the level of many people, if the plug fits then it must be the right connection (even if it's an RJ11 phone connector into an RJ45 network socket).

          Now, I can do this as I've been in the IT business for <cough> decades. Your average user will not be able to even grasp the concepts. And automation really really will not cope with it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like