Internet of Things (IoT) devices continue to increase in popularity across the globe. However, many have proven fallible to cybercriminals who are increasingly finding new ways to breach their security. In fact, in the UK, IoT malware attack volume increased by 163 per cent in 2022, compared to the previous year, cybersecurity firm Sonicwall revealed in its 2023 ‘Cyber Threat Report’.
In response, in December 2022, the Product Security and Telecommunications Infrastructure Act (PSTI Act) received Royal Assent and is set to come into effect in the UK on Monday 29 April 2024.
The act looks to make connected digital devices, such as routers, cameras, smart speakers and doorbell cameras, more secure and less prone to cyberattacks by implementing minimum security requirements for their manufacturers, importers and distributors.
These requirements include banning universal default passwords, reporting security vulnerabilities and requiring manufacturers to reveal how long they will support each product.
David Emm, principal security researcher at Kaspersky, the multinational cybersecurity and anti-virus provider, welcomes the new Act, but suggests it should have gone even further to keep devices and their users safe: “The new PSTI Act seeks to give teeth to the 2018 Code of Conduct for consumer IoT, which laid out 13 recommendations for manufacturers of IoT devices – items like routers, cameras and smart home devices, all of which are multiplying every year – with Statista predicting they will exceed 29 billion by 2030.
“The recommendations clearly haven’t provided enough incentive for manufacturers to secure these devices, and for that reason, the Act is welcome. However, it is a shame that not all 13 have found their way into the legislation, with only 3 being given legal force.”
“It is positive that the Act is requiring manufacturers to say how long they will support each product. However, as things stand, this could be hidden away on their websites, which could easily be missed by consumers. This is something that should be available at the point of sale. We urge legislators to consider the implications of this in the light of a complex threat landscape.”
Cybersecurity is king in product design
Cade Wells, business development director at CENSIS, the Centre of Excellence for sensing, imaging and IoT technologies, explains how the news could impact firms: “The new PSTI Act underscores the UK government’s commitment to strengthening the security of consumer-connectable devices such as smart speakers, doorbell cameras, and fitness watches.
“By banning default or easy-to-guess passwords, requiring a statement of the minimum period during which security updates are provided as part of a product, and mandating vulnerability disclosure policies, the legislation aims to safeguard consumers from potential cyber-attacks.
“Manufacturers, importers, and distributors of most IoT devices being sold in the UK are affected, and there are potential penalties for those who fail to comply. In the most severe cases, a penalty of either £10million or four per cent of the company’s global revenue – whichever is greater – may be imposed.
“This move highlights the emergence of cyber security as a fundamental aspect of product design and business strategy, marking a significant step towards creating a safer and more reliable IoT ecosystem. We will likely see further regulatory change in the future, so businesses must remain vigilant to ensure they maintain compliance and protect consumers.”
‘Further regulations will be needed’
Robert Pocknell, IP solicitor at Keystone Law, also believes that the regulations will require changes and additions in the future: “I suspect that further regulations will be needed as devices become more complex, and cybercriminals become more savvy.
“From a practical perspective, it’s right that at the moment retailers and distributors seem to be unprepared for the regulations and for the need to ensure that there are Certificates of Compliance when they sell connected products, but that will hopefully improve over time.
“There are many other issues to overcome in the IoT space, not least the claims made by holders of patents in the telecoms space that want a share of the revenue from the new innovative connected devices that are going to come onto the market.”
‘True protection goes beyond just regulation’
Alan Jones, CEO of YEO Messaging, a private and secure messaging platform that uses patented continuous facial recognition to authenticate users,
“As a team dedicated to providing secure authenticated and encrypted messaging, we view the UK’s Product Security regime as a positive step towards enhancing the security of connected devices.
“While I commend the efforts to establish minimum security requirements, I believe true protection goes beyond just regulation. We are advocates for comprehensive privacy measures, emphasising end-to-end encryption, robust authentication mechanisms, and user control over data.
“I believe that continuous innovation and global collaboration are essential in safeguarding digital communications, and measures empowering users to take control of their data should be added as a minimum requirement.”
Where do APIs come into this?
Mayur Upadhyaya, CEO at APIContext, highlights the role of APIs in the IoT ecosystem: “While the Act’s focus on connected devices is commendable, it’s crucial to recognise the role of APIs in this ecosystem.
“These APIs act as the communication channels between devices and the servers they interact with, often exchanging sensitive data. The PSTI Act’s emphasis on security becomes even more relevant when considering API interactions.
“One of the strengths of the PSTI Act is its focus on strong authentication mechanisms. This doesn’t just apply to traditional logins but also extends to API interactions. The Act’s provisions around banning default passwords and managing vulnerabilities are equally important for APIs. Weakly secured APIs can be exploited to gain unauthorised access to sensitive data or disrupt critical functionalities within connected devices. Ensuring robust API authentication and authorization becomes paramount for the overall security of these devices.
“Another key consideration is data scoping. The PSTI Act promotes transparency around data usage, and this extends to API interactions as well. APIs should only be authorised to access and process the data they absolutely need to function. Minimising data exposure through proper scoping not only safeguards user privacy but also reduces the potential attack surface for malicious actors.”
Improving ‘out of the box’ resilience
Michael Woolslayer, policy counsel at security platform HackerOne, reveals why he thinks the new regulations represent a positive move forward for smart devices.
“With stronger default security practices, such as unique passwords, consumer smart devices will be more resilient out of the box. Transparency around the security support date will help consumers make informed purchasing decisions, fostering additional marketplace competition based on security. The requirements also help pave the way for a more standardised approach to device security, potentially reducing the fragmentation in security practices across different manufacturers.
“More specifically, ensuring that organisations have a process to receive and fix vulnerabilities is already a best practice recommended by many of the most widely adopted cybersecurity frameworks and standards.
“Vulnerability Disclosure Programs foster a collaborative environment where security researchers, consumers, and manufacturers work together to enhance product security. Early vulnerability disclosure helps mitigate potential cyber threats before they escalate into larger security incidents. By requiring manufacturers to provide clear channels for reporting vulnerabilities, the regulation will help to ensure quicker identification and resolution of security flaws, ultimately protecting consumers.”
Has the act overlooked consumer complacency?
Finally, James O’Sullivan, founder and CEO of Nuke From Orbit, a UK-based digital identity security firm, explains why although the legislation represents a positive start, it overlooks a serious weakness: human behaviour.
“We all want life to be as easy as possible. Give people a choice between remembering a complicated 10-digit password and using a four to six-digit PIN, a thumbprint, or facial recognition, and most people won’t go with the password. Don’t stop them from using the same code over and over, and our research shows that 45 per cent will use the same PIN for their phone, apps, services and bank cards.
“That would be bad enough; what makes the situation worse is that more often than not, our phones not only connect to all those apps and services but are also the only way to verify access. So one-time passcodes, authenticator apps and other forms of two-factor authentication are all on the same device as the apps they’re protecting.
“If your phone is stolen and the PIN discovered, a criminal can defeat most security to act as you. It doesn’t take a genius to work out what happens next. Our research further showed that in 62 per cent of smartphone thefts, criminals have gone on to access victims’ banking apps, digital wallets, social media, and email.
“Our concern is that businesses will only do what’s required of them, without addressing consumer complacency. What we need is for banks, mobile network operators, social networks, and other service providers to look at how their customers behave and tackle this escalating issue head-on by helping instantly invalidate stolen data. Only then will we start to make a dent in tackling the escalating threat of smartphone theft.”
