UK seeks to secure smart home gadgets
Makers of smart home devices are to be encouraged to make their gadgets secure against hack attacks.
The UK has published a voluntary code of practice for manufacturers that shows how they can proof their creations against common attacks.
It aims to stop gadgets being hijacked and used to mount cyber-attacks - and stamp out designs that let cyber-thieves steal data.
Two companies, HP and Hive Centrica, have already agreed to follow the code.
Forward steps
The government initiative is aimed at makers of small smart gadgets for the home, such as web-connected doorbells, cameras, toys and burglar alarms - the so-called internet of things (IoT).
An increasing number of cyber-attacks exploit poor security on these gadgets.
The detailed code was drawn up by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre. It includes 13 separate steps manufacturers can take to produce more secure products.
The steps include:
- securely storing customer data
- regularly updating software
- requiring users to choose stronger passwords
- making it easier for users to delete data and re-set a device
- setting up a vulnerability disclosure policy
"Cyber-crime has become an industry and IoT 'endpoint' devices increasingly constitute the front line of cyber-security," said George Brasher, HP UK managing director.
Computer security expert Ken Munro, who has exposed shortcomings in many IoT products, welcomed the code as a "big step forward".
Mr Munro contrasted it with recently introduced Californian regulations that put legal security requirements on manufacturers. The Californian code comes into force in 2020.
The UK's approach was more detailed and addressed more of the supply chain involved in the production of smart gadgets, he said.
However, Mr Munro said he still had a "wish list" of steps the UK could take to ensure gadgets were as safe as possible.
Consumers should be able to return unsafe gadgets easily, he said, and retailers should commit not to sell any device found to be vulnerable to attack.
The government should also draft laws that required companies to tighten up IoT security, he said.
"It would also be reasonable to let the DCMS guidance 'bed in' with manufacturers," Mr Munro said.
"If they don't start to change behaviour, then that would be the time for regulation."