New UK Legislation Set to Improve IoT Security

The Product Security and Telecommunications Infrastructure (PSTI) is a new UK bill looking to improve the security of Internet of Things (IoT) devices. The new bill aims to improve security by implementing new compliances for manufacturers, importers, and distributors of IoT devices. 

IoT devices are becoming a main point of entry for cybercriminals. With IoT uptake increasing at home and in the workplace, the security standards for these devices are surprisingly lax. 

The PSTI aims to improve consumer privacy with security boosts to internet connected devices. The bill targets “internet-connectable products” such as cameras, smart TVs, and speakers. The legislation will also apply to devices connected to the internet indirectly, such as smart light bulbs that connect to home assistants like Amazon’s Alexa. 

IoT vendors found not in compliance with the PSTI could be fined up to £10 million by a yet unappointed regulator. 

Product Security Measures 

The PSTI factsheet states that most IoT owners assume these devices are secure, yet “only 1 in 5 manufacturers embed basic security requirements in consumer connectable products”. The PSTI bill looks to make basic security requirements the law. 

The UK government has outlined three main features of the PSTI bill: 

• Default passwords will be banned on IoT devices. An IoT device that can be reset to factory settings must not use a default factory password. Default passwords allow cyber criminals easy access as many consumers do not know they have to change these default passwords themselves. 
• Products must have a vulnerability disclosure policy. With this legislation, there must be a way for security researchers to notify manufacturers of risks with their devices. When a risk is notified, the manufacturer can then work to fix the vulnerability. 
• Manufacturers must be transparent about the update lifecycle of the IoT device. At the moment, it is not always clear how long the update lifecycle of an IoT device is. With this requirement, consumers should be able to know how long their IoT device will receive security updates for. This will hopefully allow individuals and businesses to know when their IoT devices should be replaced. 

The government supplied a list of products that the PSTI bill will affect. Some examples include smartphones, IoT device hubs, baby monitors, and smart home assistants. Since the PSTI is primarily targeting the individual, many IoT devices marketed towards business and enterprise are not included.