IoT security - new governance code

The number of devices in our daily lives that can send and receive data via the internet is growing at a phenomenal rate. The UK government’s estimate is that by 2025 there will be some 22 billion such devices around the world. Burglar alarms, doorbells, baby monitors, health trackers and a multitude of others are now known collectively as ‘Internet of Things’ or ‘IoT’ devices.

On 14th October 2018 the UK government published a new Code of Practice aimed at those who manufacture or develop technology for these devices. It is non-binding, but aims to provide guidance on best practice which, it is hoped, the target audience will welcome and adopt voluntarily. There are 13 guidelines, the following being a selection of the most important.

It is suggested that every device should leave a factory with its own unique password, rather than there being one default password across an entire range that the customer is then expected to change. Related to this is encouragement to make the set-up process for new devices as hassle free as possible. Where users are required to do any kind of necessary reconfiguration, every effort should be made towards a foolproof process. New and ever more reliable methods of authentication, including voice, face or fingerprint recognition, are encouraged, as are regular software updates.

Devices should be resilient to power and data outages and, the Code suggests, should be able to maintain basic functionality at all times, including during software updates. It is recognized that devices used to monitor fitness today are likely to become ever more important to all aspects of our health in future, so aiming for systems that are never entirely devoid of function will have obvious and huge advantages.

Inevitably GDPR plays a significant role in such technology. Guideline 8 of the Code deals with the requirement on service providers and app developers to make it transparent to their customers exactly what data is being collected, why it is being collected and how it is being processed. An extension of this is the need to make it easy to wipe a device of all personal data at the end of its lifespan. Potential fines for failures here have the potential to be huge.

The Code is not really breaking new ground by by putting consumer security front centre for IoT devices, but the serious legal and reputational risks in the event of a problem make clear that the sensible will pay close attention to it nevertheless.