back to article UK.gov cooks up code of conduct to enforce a smidge of security on Internet of S**t kit

The makers of connected devices will be expected to build in security measures to prevent cyber threats, under a draft "code of conduct" issued by the UK government today. The Security by Design review intends to bake security into devices to protect "individuals' online security, privacy, safety" as well as preventing large- …

  1. Andy The Hat Silver badge

    "Code of conduct"

    Doesn't that read like 'thou shalt not break current or future privacy laws"?

    Another document, another pointless waste of paper ...

  2. Anonymous Coward
    Anonymous Coward

    It's a paper that is going to progress change

    at the rate of bailing out a sinking ship with a teaspoon...

  3. Mike Ozanne

    Are they saying that OEM's should include secure encryption? because I'm pretty sure they were not saying this just a while ago....

    1. Mongrel

      When you don't understand the tech everything is possible and with just the wave of the magic wand as well

    2. Pen-y-gors

      The govt only really worry about being able to hack into your secure communications when they might be interesting - email and messaging, location, financial transactions. GCHQ won't worry too much if they can't decipher an instruction that tells your hall light to switch on or off. Until that is, some nasty trrrst network decide to communicate secretly by sending morse code via bedside lights... Upgraded light bulbs could have a small LED display that decodes the morse. (Can I patent that idea as the next WhatsApp?)

  4. alain williams Silver badge

    The vendor to the consumer should be liable ...

    otherwise they will simply refer customers to the manufacturer; which is probably somewhere in China that ignore complaints. This will ensure that resellers will sell stuff that causes them least problems, ie kit that it well designed, tested and is well supported, etc. If a manufacturer cannot provide assurance, etc, they won't get sales - simples.

    Also product (support) lifetimes should be reasonable. This does not mean 'until the next model is released', but the real lifetime that one expects. So: for a fridge - maybe 20 years, light switch - 50 years.

    1. Dodgy Geezer Silver badge

      Re: The vendor to the consumer should be liable ...

      ...So: for a fridge - maybe 20 years, light switch - 50 years....

      For an IoT light switch - expect 2 years......

  5. Olivier2553

    No password reset

    Did I read that right? So if the user forget the password, the device is bricked?

    That a reset implies the user is forced to choose a new password next time, OK, but no password reset does not sound right.

    1. Outer mongolian custard monster from outer space (honest)

      Re: No password reset

      No, that implies that THAT device has a unique password.

      So if you push the "oh poo make everything default button", it should revert its firmware to that unique password stored somewhere as a backup.

      Perhaps we could then retain access to that backup with something high tech, like having it printed on the case somewhere out of sight requiring physical access and interaction to view should we loose it?

      Also strikes me that install of the backup recovery firmware defaulting to a generic could be acceptable as long as thats not the out of the box firmware applied.

      The bit I do not agree with is that all devices should update automatically as a mandatory thing. No, I don't want to give manufacturers carte blanche to push new unwanted features at me and delete functionality they decide was a bit too generous in future. I'm ok if its a feature I can disable deliberately knowing this however.

    2. Pen-y-gors

      Re: No password reset

      Agree it's a problem, but forcing a new password doesn't help.

      1) Hacker forces reset

      2) Hacker chooses new password

      3) Hacker launches DDoS

      4) Owner stuffed.

      1. Doctor Syntax Silver badge

        Re: No password reset

        "4) Owner stuffed."

        Not necessarily the worst outcome. If Owner stuffed happens often enough and publicly enough we then have:

        5) Vendor gains poor reputation.

        6) Vendor fails to sell product in the future.

        There is then an incentive to produce secure stuff.

      2. Joe Werner Silver badge

        Re: No password reset

        > Agree it's a problem, but forcing a new password doesn't help.

        >

        > 1) Hacker forces reset

        >

        > 2) Hacker chooses new password

        >

        > 3) Hacker launches DDoS

        >

        > 4) Owner stuffed.

        If the hacker can enforce a reset of my WLAN router I have another problem as the person is now in my apartment. Same goes for other devices that have some hardware reset switch....

  6. Pen-y-gors

    It's not that simple.

    But I wish it was.

    The guidelines are a good starting point. They stick to approaches and principles rather than being too specific (must use encryption type ABC-123 etc).

    Having some form of kitemark to show the device conforms to the standards would help, with a ban on sale in the EU without one.

    But: what happens when a manufacturer is, in all good faith, flogging a conformant product, and a hole in the encryption is found and exploited? Do they have to pull any unsold items? Stop production until hole is fixed? Issue a product recall?

    Problem 2: the no pw reset thingy. Many of these devices will be plug in and forget. What happens 3 years down the line when a fix needs to be installed, and the piece of paper with the admin password on has long been recycled? No way to reset password? Bin the device or just live it with an unplugged hole?

  7. Anonymous Coward
    Anonymous Coward

    Surely some of the politicians have phones and IoTat devices? Then surely they must be aware of the rubbish security, lack of updates and short term life or if they don't they will eventually become aware, you know when their home internet bandwidth gets used by a bot net or some other issue. Therefore at some point I would assume they will legislate. Anyway, you can always hope.

    1. Dodgy Geezer Silver badge

      ...Surely some of the politicians have phones and IoTat devices?...

      What do you think politicians have unpaid intern for? You don't think they get their hands dirty lifting anything apart from glasses at expensive restaurants....?

  8. jake Silver badge

    I can't be the only one who parsed that ...

    ... "UK.gov cocks up code of conduct" and thought to oneself "Yep. That sounds about right."

  9. Zog_but_not_the_first
    Thumb Down

    Are you listening China?

    Wags finger.

  10. Anonymous Coward
    Anonymous Coward

    Idiot!

    The headline reinforces what I said yesterday (and got well downvoted for my pains) when talking abot IoT and all the shit that it can bring on you and your loved ones.

    There is at least one other person with the same level of contempt for IoT security etc that I have.

    Keep up the good work El Reg. Perhaps one day, the great unwashed (the general public) might get a hint that this IoT stuff is not all it is cracked up to be.

    Don't forget that BB will be watching you. No hanky panky on the sofa! Yes you there! I mean you!

  11. Cuddles

    If only

    "Responsible manufacturers are already addressing IT security in devices"

    If only there actually were any responsible manufacturers.

    1. Zippy's Sausage Factory

      Re: If only

      I think what they actually mean is

      "Most manufacturers are updating their Ts&Cs to include forced arbitration and the buyer indemnifying the manufacturer from all liability as their way of addressing IT security in devices"

      And they're probably fine with this...

  12. Doctor Syntax Silver badge

    "The code states that all passwords on new devices and products are unique and cannot be reset to a factory default"

    Not the best solution I'd have thought. A better one is that the out of box state is non-functional and requires a password to be set to become functional. A reset reverts it to out of box state.

    I take Pen-y-gors' point about a remote reset by a hacker. The solution there would be that setting the password requires physical access to the device, say press a button on the device and you have a minute to set a password.

    Someone places the device where they can't reach it and it gets remotely reset? There problem which is considerably better than being everybody else's.

  13. }{amis}{
    Thumb Down

    Code of Conduct

    I expect this will have as much impact as the banking code of conduct IE none (PPI,Endowments,et all)

  14. Scott Broukell

    "protect individuals' online security, privacy, safety as well as preventing large-scale cyber attacks"

    Since none of the above ever has, nor ever will, be the case in a connected online world, such measures can only be of the `sticking plaster' variety and as such are worthless drivel.

  15. Alister

    See that stable door?

    The one flapping about, with no horse inside?

    Just close it, will you?

  16. Richard Pennington 1

    Proper labelling would help ...

    ... As in a label to be prominently displayed on the packaging of any product without suitable security measures.

    The text of the label should read simply "IDIoT".

    As in Insecurely Designed Internet of Things.

  17. Anonymous South African Coward Bronze badge

    Just brick all unsecured devices.

    And keep on bricking them until the owners buy IoT things with proper security baked in.

    Reminds me of "Macbeth does Windows95" by the Usenet Oracle.

  18. Anonymous Coward
    Anonymous Coward

    Just hold on there a moment

    It also says software should be automatically updated

    I don't think so, I've no desire to have the W10 experience replicated elsewhere, perhaps something like this statement would be better.......

    Software should be automatically oupdated or the user should have the option to turn off automatic updates and apply them manually for a duration of no less than 7 years from the point of market introduction.

  19. Flywheel
    FAIL

    They have no effing clue, do they?

    "However, how it plans to police the code [insert latest fad here] remains unclear"

    To be honest, this is just another exercise at sounding good and will not actually come to anything. Do they actually have a department within a department that comes up with this nonsense, at taxpayers' expense?

    As for "financial penalties", it'll depend which country the vendor is from, so based on the ongoing culture of appeasement to any State with more money/clout than us we won't be collecting a single penny.

    /rant

  20. Voidstorm
    WTF?

    Once more unto the breach...

    ... with a completely toothless, voluntary, and penaltyless "code of conduct".

    When will Government understand that Business routinely ignores shit like this unless it suits *them* not to?

    Voluntary Code of Conduct = we must be seen to be doing something, when we're in fact just waffling into the headwind.

    Press code of conduct anyone? Phonehacking? How many more examples of voluntary codes of conduct failing *epically* do we need before the boneheads in government realise that only enforcible laws will give impetus to real change, because the fines *cost more than the work of compliance*.

    Money is the only thing that sharply motivates business to change.

  21. Doctor Syntax Silver badge

    Problem of definition

    What's a connected device?

    On the face of it my laptop is a connected device. Am I to be supplied with a unique password by the manufacturer which I can't then change?

    What about something like a Kodi box? I can build one of those with a Raspberry Pi and as everybody but possibly Matt Hancock knows those can be given entirely new OSs simply by swapping the SD card. Is someone taking the Pis?

  22. Anonymous Coward
    Facepalm

    Sure....

    ....the £20 webcam shipped from a random supplier in China, after being bought from eBay will conform to this.

    And if not, we'll send a strongly worded email.

    1. Flywheel

      Re: Sure....

      Yes, but to whom?

  23. FlamingDeath Silver badge

    Stupid people do stupid things

    You can't protect against stupidity. Evolution at its finest.

    Create ever more 'idiot proof' stuff, nature just creates better idiots

    Take this for example, recently in the news, reflection attacks using Memcached

    It clearly states here:

    https://github.com/memcached/memcached/wiki/ConfiguringServer#networking

    By default memcached listens on TCP and UDP ports, both 11211. -l allows you to bind to specific interfaces or IP addresses. Memcached does not spend much, if any, effort in ensuring its defensibility from random internet connections. So you must not expose memcached directly to the internet, or otherwise any untrusted users. Using SASL authentication here helps, but should not be totally trusted.

    Need I say more?

    Retards, Retards Everywhere ©

  24. Anonymous Coward
    Anonymous Coward

    Too meta?

    A poo-shaped plastic device that listens to everything you say and sends your PI to a server in Krakadoomistan....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon