back to article UK.gov emits draft IoT and smartphone security law for Parliamentary scrutiny

A new British IoT product security law is racing through the House of Commons, with the government boasting it will outlaw default admin passwords and more. The Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced yesterday and is intended to drive up security standards in consumer tech gadgetry, …

  1. chivo243 Silver badge
    FAIL

    Way to use the Lingo!

    Julia Lopez MP said in a canned statement: "Our Bill will put a firewall around everyday tech...

    Nice try. Just because you've written the theory out, doesn't mean it will be in practice anytime soon, or enforced once it is in practice. So many hurdles.

    1. hoola Silver badge

      Re: Way to use the Lingo!

      A firewall (usually) still has holes in, either intentionally or unintentionally. As you say, these are fine words and will give a warm fuzzy feeling that things are better and more secure. The trouble is that this is mostly unenforceable.

      So much of this stuff is fit-and-forget with no firmware updates from some facility in the Far East that is churning out millions of the same gizmo every month, all with different brand labels on.

  2. Doctor Syntax Silver badge

    "Our Bill will put a firewall around everyday tech"

    And what's more, we have the hashtags to do it. It's all very well having seen the words but they should really let a techie review what they're intending to say in public before they say it.

    As a really good start it seems to have disappeared from the Parliament site already.

    1. Cronus

      You can make fun of the language but it's not as though firewall has always referred to the software on a computer system to restrict network access.

      From a quick Wikipedia search:

      The term firewall originally referred to a wall intended to confine a fire within a line of adjacent buildings. Later uses refer to similar structures, such as the metal sheet separating the engine compartment of a vehicle or aircraft from the passenger compartment.

      The computer use of the word was a metaphor for the physical thing and the MP's usage of the word is too just with a different meaning.

  3. Headley_Grange Silver badge

    Online Souks

    Unless the Gov. makes online sellers responsible for the tat they sell then this will be virtually worthless. Non-Reg. readers will continue to buy the cheapest things they can find online, and the online souks will be happy to sell them Chinese tat that doesn't meet any UK regs. Then, when bad stuff happens, the likes of Amazon/eBay will issue their usual "we have strict seller policies........" bollocks and no one will get punished.

    1. Doctor Syntax Silver badge

      Re: Online Souks

      It certainly needs to be drafted to include online market places in those who can be fined. The "fact sheet" ( https://www.gov.uk/guidance/the-product-security-and-telecommunications-infrastructure-psti-bill-product-security-factsheet ) is detailed about the sorts of devices covered but vague about who will be held responsible. It also seems to be handing over enforcement to the Dept. of Culture Media. Perhaps a beefed up Trading Standards service would have been better: we could certainly do with it being strengthened even without this.

      1. Pascal Monett Silver badge

        Shouldn't be that difficult

        Online reseller sells you unsecure product. You get pwned. You sue online reseller. Online reseller sues maker.

        Problem solved.

        1. Tom Chiverton 1 Silver badge

          Re: Shouldn't be that difficult

          So the rich get richer. Great. Seriously. You think you can out-lawyer Amazon ?

        2. Woodnag Silver badge

          You sue?

          No. There's no right to private action under this law.

        3. hoola Silver badge

          Re: Shouldn't be that difficult

          Good luck with that.....

          Whilst the theory is sound exactly how do you sue eBay or Amazon?

      2. Warm Braw Silver badge

        Re: handing over enforcement to the Dept. of Culture Media

        To be fair, the prospect of being tweeted at by Nadine Dorries is a fairly robust deterrent.

      3. Brewster's Angle Grinder Silver badge

        Re: Online Souks

        "It also seems to be handing over enforcement to the Dept. of Culture Media. Perhaps a beefed up Trading Standards service would have been better: we could certainly do with it being strengthened even without this."

        Enforcement?! Pah! What are you, some kind of lefty activist? We're writing a law to address people's concerns. And when someone is caught breaking these laws, we'll write more specific laws with more draconian penalties to cover those cases. But nobody wants these laws to be enforced - that would impinge on our ability to make money and cost taxes which could be going to our chums. We just want to able to blame somebody else when a problem turns up and be seen to be doing something in the papers.

    2. Phil O'Sophical Silver badge

      Re: Online Souks

      It'll just change the way the crooks work. Instead of using the default passwords they'll set up 'helpful' phishing websites to guide non-technical users through the security configuration, and in the process snaffle the password and address info for further use or sale. They may even take the opportunity to open up firewalls and load malware.

      "select your thermostat type from the drop-down menu, and enter your new password, we'll do the security setup for you".

      1. Kientha

        Re: Online Souks

        We'll likely also see social media bots pretending to be support accounts offering to help similar to what we currently have for social media and cryptocurrency exchange accounts for when people complain they can't get their *insert IoT product here* to work

    3. HAL-9000
      Thumb Up

      Re: Online Souks

      Have to agree, there will shurly be big gaping holes once scrutiny is permitted

    4. Doctor Syntax Silver badge

      Re: Online Souks

      The PDF of the Bill is back online. It seems that the Sec of State has the powers to deem products to be relevant which future-proofs it against as yet undeveloped products.

      The bad news is that as far as I can see the likes of Amazon other than as a direct seller, eBay and the like escape. Even if there was an attempt to treat them as importers or distributors it looks as if 55(11) gives them the option to plead that they're "ostensible suppliers" and not the "effective suppliers" who are the relevant persons within the meaning of the Bill.

      1. Anonymous Coward
        Anonymous Coward

        Re: Online Souks

        if 55(11) gives them the option to plead that they're "ostensible suppliers" and not the "effective suppliers"

        They should still be penalised in some way, and stopped from peddling more of the shyte

  4. Anonymous Coward
    Anonymous Coward

    More misdirection...why am I not surprised?

    Quote: "...enforcement of these new regs....will have the power to fine companies for non-compliance up to £10 million..."

    *

    The missing -- and vital -- piece is the budget for ENFORCEMENT!!!

    *

    My quiet street has a 30mph speed limit. Ferraris and Lamborginis and AMG Mercedes regularly do 60 and 70mph past my house. So the law says 30mph....but absolutely no sign of ENFORCEMENT!

    *

    My quiet street has multiple Amazon Ring doorbells, all surveying the public street. The law says that if a CCTV device scans a public space it needs to be registered. Registration is not needed if the CCTV is only scanning private property. Is this law subject to any ENFORCEMENT? Of course not!!

    *

    So.....here we are......once again our political class are posturing about "doing something"......and as in these other two cases it's just empty posturing!!!

    *

    Just saying!!

    1. BenDwire Silver badge

      Re: More misdirection...why am I not surprised?

      It's even worse than that. When a crime takes place in the street, Plod routinely asks people for CCTV, doorbell and dashcam footage. I assume no-one gets prosecuted for such unregistered cameras?

      (And why is it still called footage when no film is used? How about bittage, bytage or streamage?)

      1. Eclectic Man Silver badge
        Headmaster

        ASIDE: Re: 'Footage'

        BenDwire: "And why is it still called footage when no film is used? How about bittage, bytage or streamage?"

        For the same reason that ships still 'sail', even though they use diesel (or nuclear) rather than wind power, and people still 'dial' a telephone number, even though all phones have buttons (or at least flat screens with images of buttons). (There is a beautiful scene in 'In and Out'* where a person tries to push-button a dial telephone, it is superb comedy.) People wear 'glasses' even though most have polycarbonate (plastic) lenses. It is just that society continues to use the original, now 'old-fashioned' terms.

        * https://www.nytimes.com/2019/02/08/movies/tom-hanks-philadelphia.html

        https://en.wikipedia.org/wiki/In_%26_Out_(film)

        1. Yet Another Anonymous coward Silver badge

          Re: ASIDE: 'Footage'

          We still use "colour timing" for adjustments to the colour balance of a movie scene done on a computer.

          Because you used to change how long the film was in a particular chemical bath.

    2. Mike 137 Silver badge

      Re: More misdirection...why am I not surprised?

      A perfectly good point.

      I recently proposed something similar in respect of data protection law, which is widely ignored by businesses. Rather than fining organisations, they should be forced to fix the faulty processes that lead to the technology flaws, and that fixing should be audited by the regulator for adequacy. The cost of both the fixes and the audits would be money much better spent than if it were handed over a as fine.

      I also suggested that there should be a hierarchy of requirement for qualification and certification of competence, the top of which should be applied where any product has potential life- or livelihood consequences. Another option would-be the equivalent of the BSI kite mark - a voluntary certification that a product meets an objective standard. It worked for electric plugs - raising safety standards by being a market delineator.

      However all these ideas (and the current government proposal) fall on the issue of transnational jurisdiction - there really isn't any possibility unless all the key nations agree to coordinate their standards and statutes. Europe did, but that's pretty much it to date.

    3. Anonymous Coward
      Anonymous Coward

      Re: More misdirection...why am I not surprised?

      This always the problem and I'm not sure if it's worse in Britain than other European countries or not.

      There's no money or just plain no enforcement in anything you can think of.

      Food safety, not enough inspectors

      Cre homes, not enough inspectors, laughably easy to rename your failing care home and pretend it's not the same one despite being in literally the same place with same staff.

      Traffic, speeding and traffic crime is endemic.n

      Litter, holy shit is there to much litter.

      Covid masks, we managed it for like a month but two years in and it's a rare sight to see someone in them.

      MPs, fuck me do they need more oversight.

      On the other hand we're red hot on throwing money at making it shit to claim benefits

  5. batfink Silver badge

    "Our Bill will put a firewall around everyday tech"

    Oh just fuck off.

    1. Scott Broukell

      Re: "Our Bill will put a firewall around everyday tech"

      But . . . but . . . but, going forwards the gubermints far thinking proposals will synergise the security of the emerging digital landscape for all IoT / Tech users in the land, honest! Imagineering Pepper Pig onto the advisory panel and everything!

      On second thoughts, no, your right.

  6. Howard Sway Silver badge

    The bill imposes duties on consumer product manufacturers

    Seeing as almost all this stuff is manufactured outside the UK, I don't see how this could work. Sure, MS and Google and Apple will be forced to comply, but how will they enforce this on Chinese tat foundries? They just make the stuff, sell it to other people to import and are not under jurisdiction of any UK laws, so presumably they just ignore it. I doubt these places will redesign their products and retool their entire production lines just to obey a law which doesn't affect them.

    1. Anonymous Coward
      Anonymous Coward

      Re: The bill imposes duties on consumer product manufacturers

      I agree with your point about suing Chinese tat foundries. However to remove things like default passwords would be an update to software and a change to the sticker on the product production line. Not really that much work. Better yet and cheaper make the user set a strong password on first use.

      1. Dante Alighieri
        Facepalm

        WORMing out of the regs

        Some manufacturer is going to make a fortune providing stand alone components or factoring into microcontrollers a bit of Write Once Read Many to support that.

        Should work too until...

        Joe Public will rigorously use a cryptographically secure P@55word

        Ideally a 2 layer : set BIOS in WORM, require s/w p/w different from above, so pAssW0rd

      2. Peter Gathercole Silver badge

        Re: The bill imposes duties on consumer product manufacturers

        If you force the user to change the password on first use, there should be a warning of this, together with the password rules, and an instruction to think up two passwords (just in case the first one is rejected) before powering on the device.

        It's just too tempting, when suddenly prompted for a new password, to reuse one used elsewhere, or to invent one on the fly that is either so obvious, or immediately forgotten.

        Holding a copy of a complex password is awkward too. Do you use a 'phone app? What happens if you forget/lose your phone. Back it up to the cloud? Do you really trust the app developer (to not leak your access password) and cloud provider? Paper? Well... better use a mnemonic to obfuscate it, and remember the mnemonic.

        I don't know the best answer. I once tried using a phone password database. I forgot the access password and hadn't written it down anywhere!

    2. iron Silver badge

      Re: The bill imposes duties on consumer product manufacturers

      The Chinese manufacturer will include the required 'Approved by the Ministry of Fun' logo on the box and everyone will be happy. Much like the CE logo now.

      1. BenDwire Silver badge

        Re: The bill imposes duties on consumer product manufacturers

        Actually, this is how the CE mark works. The person putting the device on the market is legally responsible for ensuring it meets all relevant local legislation, and that would include passwords. Interestingly, they are also responsible for providing instructions in the prevalent local language too - something my overseas distributors in a B2B context moaned at on a regular basis (although we did help as much as possible).

        I'm always reminded of the DTI minister who gave a seminar in the 1990's about the new EMC directives: "There is no obligation to test, just to say that it complies"

        But yes, enforcement ... Caveat Emptor and carry on.

  7. Cereberus

    How will it work?

    It's a nice idea, if it could made to work. There are 4 main pitfalls I can see:

    1) How to undertake enforcement with the Chinese manufacturers

    2) You move the goal posts and say it si the sellers responsibility to ensure the IoT toy complies - How many of these sellers will even be aware of the requirements? How can they in turn force the company to implement proper security at point of manufacture?

    3) How do you backdate this against the millions (billions?) of devices already out there. If you can't are the manufacturers subject to fines, and if you can how to get all the users to update the devices?

    4) When it comes to phones etc. will there be a time limit to push out security updates? How long would a company have to offer support - to be truly effective it would have to be until the last device stops working, and how would they know? It can be hard enough to get an update now, because each company has to work the code into their version of Android (Apple obviously only have themselves to deal with) which they use to justify delayed security updates now, and then they only provide updates in many case for perhaps 2 years.

    1. iron Silver badge

      Re: How will it work?

      Enforcement? This isn't about enforcement.

      This is about bieng seen to be doing "the right thing", uttering a quote for the nightly news and getting oneself re-elected. Like everything an MP does.

    2. Pascal Monett Silver badge

      Re: until the last device stops working, and how would they know?

      Well, telecoms companies could compile a monthly list of all phone models that connect to their network and make it public (just the model is not PII or subject to GDPR).

      Companies could then base their support towards all of their models on the list.

      Of course, that is just a practical idea, so it will likely never see the light of day.

      1. Doctor Syntax Silver badge

        Re: until the last device stops working, and how would they know?

        It's not phones. It's IoT.

    3. Brewster's Angle Grinder Silver badge

      Re: How will it work?

      "How do you backdate this against the millions (billions?) of devices already out there."

      You don't. Retrospective laws are considered a very bad thing. You don't want to find out that something you did legitimately six years ago is suddenly a criminal act.

    4. Doctor Syntax Silver badge

      Re: How will it work?

      "2) You move the goal posts and say it si the sellers responsibility to ensure the IoT toy complies - How many of these sellers will even be aware of the requirements? How can they in turn force the company to implement proper security at point of manufacture?"

      No moving of goalposts required for this. The Bill makes it an offence to import or distribute the product. From the point of an individual country it doesn't matter if the tat-makers keep making tat if it isn't imported. Globally, if enough markets enact such provisions then the tat-makers have the options of dealing with shrinking markets or complying.

      The fly in the ointment here is that the likes of Amazon Marletplace & eBay seem to be given an out in that they're neither importers nor distributors - if all else fails section 55(11) seems to excuse them. What's missing is recognition of a role of gatekeeper. If it becomes expensive for them to allow non-compliant devices to be sold via their services then they will no doubt close the gates PDQ.

    5. Sub 20 Pilot

      Re: How will it work?

      Re your first point about Chinese stuff.

      How exactly is this different to the junk and unsecured crap pushed out by amazon, google etc ? I don't mean the stuff they advertise or sell on behalf of others but their own brands of spy-speaker rubbish, unsecure doorbells, baby monitirs etc.

  8. Twanky Silver badge
    Facepalm

    Alternatively...

    ...we could just make it illegal to exploit the vulnerabilities in people's IOT kit - backed up by penalties including massive fines. Oh...

    More seriously, if this kit is known to be vulnerable and a danger to national infrastructure then establish a white hat team to find it, attack it and break it, force it off that infrastructure. Maybe folk will get tired of buying kit that stops working soon after it's plugged in. Course, there'll be a few court cases...

    1. Yet Another Anonymous coward Silver badge

      Re: Alternatively...

      This idea could be extended. If the fire brigade were equipped with flame throwers they could determine which houses were flammable and rapidly incentivise the owners to improve

      1. rtharrison

        Re: Alternatively...

        The ancient Roman Crassus did something similar.

        "The first Roman fire brigade was created by Marcus Licinius Crassus. He took advantage of the fact that Rome had no firefighters. Crassus creating his own brigade of 500 firefighters who rushed to burning buildings at the first cry for help. Upon arriving at the fire, the firefighters did nothing while their Crassus bargained over the price of their services with the property owner. If Crassus could not negotiate a satisfactory price, the firefighters simply let the structure burn to the ground." - History of Firefighting

  9. Eclectic Man Silver badge

    Default passwords

    I've not found the relevant clause in the document, but it strikes me, as a one-time SysAdmin, that installing an OS without a default root password could be a mite tricky. OK, so they could make it mandatory to ensure change of root password on first log on, but that is not quite the same thing.

    In any case you will have great difficulty connecting to my thermostat (40 years old), dishwasher, washing machine, refrigerator, kettle or even toaster over the Internet, as none of them is remotely 'intelligent' (a bit like their owner ;o) ).

    1. hoola Silver badge

      Re: Default passwords

      But I am sure they provide all the functionality that is required to control the temperature, burn toast or boil water......

  10. Snowy Silver badge
    Holmes

    Smartphones

    They all get patches while they are supported, just some are not supported for very long. Unless this makes the manufacturer support them for longer nothing is going to change!

  11. Anonymous Coward
    Anonymous Coward

    Sleight of hand

    How to appear to be doing the right thing whilst in practice doing very little at all. Tommy Cooper would have been proud to pull such off

  12. Dwarf Silver badge

    But why ?

    So if there is no default password, how do you do the initial login to change the password in a semi-secure manner ?

    I wonder how many in the IoT space will just say "no security, hence no default password" or similar as a way of sidestepping the new rules.

    I also wonder if those in gov.t have ever actually thought about how an IoT device with no screen, keyboard, nor way of plugging in such a device might be configured before the initial setup. Might be possible with a QR code printed on the box when its new, but what about 6 months later when it needs a reconfigure etc. Need to be careful about the laws of unintended consequences as this could just result in more landfill or higher costs to do the device specific setup during manufacture etc.

    Perhaps what they actually need is a minimum set of security principles that people sign up to. I don't have a problem with a default password, as long as its set during initial provisioning.

    We also need to think about why a kettle or fridge actually needs this level of gimmickry. Perhaps limiting the functionality to whats actually needed, rather than trying to add the endless list of marketing wank to every product whether it needs it or not might be a more effective way forwards.

    1. Doctor Syntax Silver badge

      Re: But why ?

      "So if there is no default password, how do you do the initial login to change the password in a semi-secure manner ?"

      Not a problem. On boot from out of box or factory reset it presents a password-setting dialog before it will connect to the net. It shouldn't even matter if there is a default password, password-less login or a dialog without a login at this stage as the user-defined password will be in place by the time it connects. If the password's forgotten then a factory reset allows you to enter a new one. My router works this way so it's not a startlingly novel requirement.

      1. Dwarf Silver badge

        Re: But why ?

        Most IoT devices don't have screens, keyboards or serial consoles into them and given that many are wireless, the first thing they need to do is to get onto the WiFi, so SSID, password, etc, which in turn means that they need an initial setup capability which either needs to be completely unsecured from the factory so that you can get to it and do the initial configuration. A known but fixed password for that step only has to be better than no initial security.

  13. Winkypop Silver badge
    Joke

    I think Guy Fawkes idea of a firewall was best

    Unfortunately they caught him in time.

    1. Yet Another Anonymous coward Silver badge

      Re: I think Guy Fawkes idea of a firewall was best

      Proposal that Mr Fawkes name be added to all ballots. In the event that he gets most votes it is taken as a sign that the will of the people is to blow up parliament, or at least the local constituency office

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021