QuoStar’s Head of Security and resident CISO David Clarke shares his views on the new piece of legislation to protect the consumer – The Product Security and Telecommunications Infrastructure (PSTI) Bill.
“The Product Security and Telecommunications Infrastructure (PSTI) Bill supports the rollout of future-proof, gigabit-capable broadband and 5G networks, and better protects citizens, networks and infrastructure against the harms enabled through insecure consumer connectable products.” [Department for Digital, Culture, Media & Sport, 24 November 2021]
This is a very interesting piece of legislation as the “Product Security Measures” apply to manufacturers, importers, and distributors in the supply chain for consumer connectable products.
“A consumer connectable product is an internet-connectable or network-connectable product.” [Department for Digital, Culture, Media & Sport, 24 November 2021]
The PSTI Bill
The government has stated that the security requirements will apply in relation to products including:
- Connected cameras, TVs, and speakers
- Connected children’s toys and baby monitors
- Connected safety-relevant products such as smoke detectors and door locks
- Internet of Things base stations and hubs to which multiple devices connect
- Wearable connected fitness trackers
- Outdoor leisure products, such as handheld connected GPS devices that are not wearables
- Connected home automation and alarm systems
- Connected appliances, such as washing machines and fridges
- Smart home assistants
The security requirements, to be set out in regulations, will:
- Ban default passwords
- Require products to have a vulnerability disclosure policy
- Require transparency about the length of time for which the product will receive important security updates.
The scale of devices with weak security is absolutely huge, Kaspersky research says there were 1.5 billion attacks against IoT (Internet of Things) products in the first 6 months of 2021.
As we speak (7th December 2021) more than 300 SPAR convenience stores across the UK have either had to revert to cash-only payments – or shut altogether – following a cyber-attack that has meant all point of sale devices have had to be taken offline, meaning the stores are unable to take card payments. It’s not the first time a European supermarket has been caught up in a supply chain attack this year. Sweden’s Coop stores were all hit with REvil ransomware in July this year, as a consequence of the Kaseya breach.
Ban Default Passwords
The question is, will this legislation make a difference? Removing default passwords will of course make a huge difference, yes. And no. It may just delay the inevitable. Will the devices have to have a standard for passwords e.g. minimum length or complexity? Will the device have a lock out period e.g.10 fails and you are locked out? If not, enumeration software will eventually crack the password.
Good idea in principle, the difficulty will be whether these devices will auto update as it may be unlikely many users will have the technical capability to do it themselves.
Important security updates
If security updates are available for 2 years, similar to the average Android phone, what happens then? Will the consumers be alerted when the end of the 2 years is up? Will this then become part of built-in obsolescence, so new phones, doorbells, fitness wearables, washing machines need to be bought new again probably every 2 years.
“Ensure that consumer connectable products, such as smart TVs, internet-connectable cameras and speakers, are more secure against cyber-attacks, protecting individual privacy and security” [Department for Digital, Culture, Media & Sport, 24 November 2021]
This would seem to indicate that if there is damage to an individual’s privacy, there could be a group action against the TV manufacturer, importer, distributor, and manufacturers.
Should these devices go through a form of accredited security testing? In business-to-business relationships, there is usually a requirement that all systems should be updated within 14 days and be in support by the vendor.
In the age of Teleworking would the “work” supply chain be fully in scope? Home routers should not use a default password, and all software/firmware under the legislation must be in support by the vendor. Should smart speakers be updated? The doorbell, fish tank thermometer, alarm system, Wi-Fi Garden lighting? These could all potentially be in scope, especially where someone works from home, as a vulnerability for the corporate workspace.
Just one vulnerable point can allow criminals into a network.
In 2018, attackers were able to compromise a connected thermometer in a fish tank that had a default password. The fish tank was in the lobby of a US casino, and attackers used this vulnerability to enter the network and access sensitive details, such as bank details.
It’s very difficult to ensure that every link in the chain has appropriate cyber security measures in place and it only takes one vulnerable point to allow criminals into a network. Once they’re in, the knock-on effects can be catastrophic.
This is a step in right direction, but how do we manage the consequences, and will enforcement be likely?
Even in the Code of Practice for Consumer IoT Security there is some mention about encryption and cryptographic keys, but it’s not very detailed. Without encryption how will personal data and passwords be stored on IoT devices?
Hopefully, this will be the start of safer online world. Although is it enough? Probably not at this stage.
Will there now be a possibility of a class action against a device manufacturer for privacy infractions? Does this mean that the device manufacturer, importer, distributor could inadvertently (under GDPR) become a data controller if they are responsible or partly responsible for a breach? The bill raises more questions than it answers in the long term.
At Quostar we manage these types of issues for corporate clients regularly. Patch management, passwords, release management and regular upgrades as well as containing systems and devices that cannot be upgraded, so they need to be contained and segregated with special security layers.
David Clarke is the Head of Security and resident CISO (Chief Information Security Officer) consultant.