What Consumers Need to Know About IoT Regulation
Tue, April 20, 2021

What Consumers Need to Know About IoT Regulation

Many IoT device manufacturers are still reluctant to invest in developing security protections because it’s a cost they can’t recoup. Without monetary incentives, there is nothing manufacturers could do to change their approach and design in safeguarding IoT devices / Photo by: weedezign via Shutterstock

 

Mike Nelson of cybersecurity news outlet Security Boulevard said securing IoT devices is like the untamed and lawless Wild West. As IoT takes over the world by storm, organizations and consumers are benefiting from the increased connectivity. However, interconnectivity also comes with greater security risks. These risks must be competently handled by manufacturers to prevent consumers from losing their trust and confidence in IoT devices. 

Unfortunately, it’s not that simple. Many IoT device manufacturers are still reluctant to invest in developing security protections because it’s a cost they can’t recoup. Without monetary incentives, there is nothing manufacturers could do to change their approach and design in safeguarding IoT devices. F-Secure’s Mikko Hypponen and Tomi Tuominen said, “They build IoT devices to be cheap and to work, but not to be secure,” as cited by Tom Gaffaney, F-Secure’s security consultant and guest writer at IoTforAll, an IoT news platform. 

If companies don’t hold these developers accountable and consumers continue to purchase their IoT devices without any security measures, perhaps regulation is one way to convince manufacturers to change their ways.  

 

IoT Regulation 

California’s SB-327 law on information privacy that covers connected devices will be put into force on January 1, 2020, requiring vendors to input a password “unique to each device manufactured.” Many IoT threats—particularly those developed from the leaked source code of the Mirai software—aim for target default and known passwords, which can easily infect devices. 

The use of default or weak credentials is finally being reduced after this “worst practice” has been adopted by the industry for more than a decade. California’s law could be the nail on the coffin. But is it? The rest of the law appears to be more general and less likely to be effective. The law said that manufacturers should equip “a reasonable security feature or features” for “any device, or other physical objects that are capable of connecting to the internet, directly or indirectly.”

What does it mean to equip a device with a “reasonable security feature or features?” Indeed, it sounds vague and toothless. But a law is a law, enabling California—America’s tech industry hub—to be ahead of the rest of the world. Several bills have been introduced in the United States Congress such as developing more consumer education about IoT devices and establishing stricter standards for the devices themselves. But none of the bills became laws. 

Many IoT threats—particularly those developed from the leaked source code of the Mirai software—aim for target default and known passwords, which can easily infect devices / Photo by: Preechar Bowonkitwanchai via Shutterstoc

 

Alternatively, the UK released in October 2018 a first-of-its-kind IoT security code of practices composed of 13 guidelines that manufacturers should follow to protect their devices and customers. These are great steps taken by the UK, but sadly, they are non-binding, which would have little effect on manufacturers’ behavior. 

This is why the country’s parliament is working on codifying these demands into law. The proposed legislation would require devices to have unique passwords, similar to California’s. Moreover, manufacturers have to mention the minimum length of time for providing security updates along with presenting “a public point of contact for vulnerability disclosure.” The UK’s IoT security code of practices is a notch above California’s law, yet this is not enough to address millions of insecure devices. 

However, the European Union’s General Data Protection Regulation (GDPR) could help transform the industry.  Laura Kankaala, an F-Secure security consultant, explained that the GDPR “could be extended to actually cover the IoT devices or some other regulation could come into place that would extend the GDPR to actually cover these IoT devices as well.” In that regard, a proven regulating body that makes manufacturers responsible for consumer data that is applicable to all internet-connected devices may be the only solution to reverse years of apathy.

Regulations Are No Means Perfect but the Time to Act Is Now

We are living in an era of hackers gathering sensitive information and trying to gain access to devices that can jeopardize a business or inflict harm on a consumer. The line between IoT devices and devices that individuals use to connect to the internet keeps blurring to the extent that it may become irrelevant. 

Therefore, safeguarding IoT devices is more important than ever. Manufacturers are not willing to take a step in securing these devices. Further, governments have demonstrated that “they’re only interested in doing too little” until it’s too late. Until such norms change, consumers of IoT devices are left on their own. More often than not, they end up purchasing the cheapest IoT device available in the market, which has resulted in the rapid proliferation of insecure cameras, routers, and digital recording devices. 

But we have to remember that legislation is just one part of the solution in complying with basic security standards, said Monica Eaton-Cardone of IoTforAll. We also need to have the security and support of the manufacturer. As consumers, we also need to have a better understanding of IoT devices to supersede the need for policymakers to intervene. 

Legislation is just one step we could take to regulate IoT. Manufacturers, consumers, and other stakeholders should also exert effort in securing IoT devices. While we can educate ourselves on IoT device security, we should be prepared to hold vendors accountable for manufacturing insecure devices. What’s the point of owning a fully functioning IoT device when it’s vulnerable to security threats?