IoT devices must “protect consumers from cyberharm”, says UK government

The UK legislature is currently interested in a law about what it calls PSTI, short for Product Security and Telecommunications Infrastructure.

If you’ve seen that abbreviation before, it’s almost certainly in the context of the PSTI Bill. (A Bill is proposed new legislation that has not yet been agreed upon; if ultimately enacted into law, it turns into an Act.)

Your first thought, on hearing of a proposed law about computer products and telecommunications, might be to wonder, “What sort of new surveillance, interception and encryption-cracking powers are they hunting around for now?”

Happily, for those who can remember the past and have learned that encryption backdoors generally favour the enemy and disadvantage the Good Guys, or for those who have already made the intellectually unimpeachable assumption that cybersecurity is unlikely to get stronger if you go out of your way to weaken it on purpose…

…that’s not what this is about.

It’s a much more modest regulatory proposal, and unlike those proposals that aim to disrupt security and cryptography “just in case we ever lock the keys in the car”, its goal is to demand a modest increase in security and basic cyber-reliability in products such as mobile phones, fitness trackers, internet webcams, cloud doorbells, and temperature sensors for your pet fish.

The IoT cybersecurity party – you’re invited

Very simply put, the UK government wants to set some basic, minimum standards for at least the following:

  • Default passwords. If Parliament gets its way, there won’t be any. You won’t be allowed to have pre-configured passwords in your devices, so that you can’t flood the market with products that every crook already knows how to get into.
  • Vulnerability disclosures. You’ll need a reliable way for security researchers who believe in responsible disclosure to contact you, and (we hope) some visible commitment to closing off security holes that you already know about before the crooks figure them out.
  • Update commitments. You’ll need to tell buyers in advance how long you are going to provide security fixes for the product they’re buying today.

Presumably, the third item in this list will be used hand-in-hand with the second one to stop you unilaterally disowning a tricky security problem by simply abandoning support as soon as it suits you, leaving your users – and the environment! – with a landfill device that became useless long before they might reasonably have expected.

We alluded to pet fish above because the Gov-dot-UK documents discussing this Bill include an example of how default passwords cause trouble: “In 2018, attackers were able to compromise a connected thermometer in a fish tank that had a default password. The fish tank was in the lobby of a US casino, and attackers used this vulnerability to enter the network and access sensitive details, such as bank details”. Beware the aquarium!

Too little, too late?

On one hand, you can easily criticise this entry-level regulation on the grounds that its demands could be considered a case of “too little, too late”, and that consumers would be better protected simply by urging experts to get more aggressive about naming and shaming devices that don’t meet reasonable standards, so consumers know to avoid them.

In other words, let the market force the issues.

On the other hand, you can equally well support basic rules like this on the grounds that they are likely to make even the most egregious offenders start doing at least something about cybersecurity in their product management and product development processes.

Those vendors who spurn the cybersecurity party altogether risk having their shoddy products simply swept off the shelves at a stroke, and returned for bulk refunds by unimpressed retailers.

Sometimes, say those who support cybersecurity rules of this low-level sort, the hardest part about cybersecurity inside a pile-’em-high-and-sell-’em-cheap electronics company is to get the topic onto the agenda at all, let alone to get it high up on the list.

Consumers are price conscious and often quite reasonably unaware of the issues involved, so you first need to get the government to force the market to force the issues.

What next?

As the government’s announcment puts it, in what we think is an entirely satisfactory example of cybersecurity discussed in plain English:

[C]ybersecurity continues to be an afterthought for many manufacturers of connectable products, and consumers often expect that a product is secure. In a 2020 report by the Internet of Things Security Foundation, only 1 in 5 manufacturers maintained systems for the disclosure of security vulnerabilities. This threatens citizens’ privacy, the security of a network, and adds to the growing risk of harms.

The document ends up with a final paragraph that we found rather less readable:

Since the government first published its Code of Practice in 2018, it has intentionally adopted a consultative and collaborative approach with industry, academia, subject-matter experts, and other key stakeholders. A primary aim of this approach has been to ensure that interventions in this space are maximally effective whilst minimising impact on organisations involved in the manufacture and distribution of consumer connectable products.

We’ve never warmed to jargon such as “interventions in this space”, which makes us think of tradespeople squeezing into cramped loft areas in an effort to fit modern insulation to poorly-designed older houses.

But we understand why Her Majesty’s Government has made this point, which we translate as “we intend to push through changes that unarguably give IoT vendors no choice about coming to the cybersecurity party”.

Manufacturers’ lobby groups understandably go out of their way to head off legislation that might increase their costs without persuading consumers to accept higher prices as a result.

Sidestepping that sort of lobbying altogether is perhaps best achieved by ensuring that no one in the process is faced with unexpected or unreasonable changes, thus effectively making the changes unexceptoinable…

…while at the same time forcing even the most recalcitrant manufacturers to do at least something about some of the underlying cybersecurity problems that they themselves have tipped into the marketplace.

In proverbial words, “A journey of 1,609,344 metres starts with a single step.”

Perhaps some vendors who would otherwise have shirked that first step forever might eventually have no choice but to do so.


go top