Smart device-makers issued with code of practice to improve cyber security

Unique passwords, timely software updates and secure storage of personal data are among Government guidelines set out in a new code of practice for smart home device-makers.

The measures aim to improve cyber security in Internet of Things (IoT) products, ranging from smart home speakers, to fridges and toys, as the number of internet-connected devices looks set to rise to 420 million across the UK within the next three years.

The Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) want manufacturers to include security as a crucial part of any smart products by design, rather than bolting it on as an afterthought.

Action to better protect users from hackers comes amid an increasing number of cyber attacks, often made easier by poor security on board the device.

In recent years security researchers have uncovered vulnerabilities in a number of products connected to the internet, including baby monitors and smart teddy bears which hackers could use to snoop on people.

“From smartwatches to children’s toys, internet-connected devices have positively impacted our lives but it is crucial they have the best possible security to keep us safe from invasions of privacy or cyber attacks,” said Minister for Digital Margot James.

“The UK is taking the lead globally on product safety and shifting the burden away from consumers having to secure their devices.”

HP and Centrica Hive are the first companies to commit to the 13-step voluntary code, which is a part of the Government’s five-year £1.9 billion National Cyber Security Strategy, to help make the UK the most secure online place in the world.

However, some cyber security experts are not convinced the initiative is strong enough to crack down on cyber threats.

“While it’s certainly a step in the right direction that the UK Government has issued a new code of practice to help manufacturers improve the security of internet-connected devices, it’s unlikely that the industry will act upon it, given that it is voluntary,” said John Sheehy, vice president of strategy at IOActive.

“Unfortunately, many manufacturers of these devices are more concerned with getting a minimally viable product to market than whether or not it is secure. As a result, many IoT devices expose their owners to significant risks.”