The UK’s new Product Security and Telecommunications Act (PSTI) came into effect earlier this year. But what does it mean for telecoms and IT providers in the Channel?
The Act mandates that internet-connected smart devices, such as phones, TVs and smart doorbells, meet minimum-security standards by law and applies not just to those devices manufactured in the UK, but to all organisations importing or retailing products for the UK market.
Failure to comply with the Act could result in fines of up to £10 million or 4 per cent of qualifying worldwide revenue (whichever is higher).
The U.K. is the first country to implement such a law, to address smart device cybersecurity, but others are expected to follow. The EU’s Cyber Resilience Act is currently going through council and imposes a duty of care on digital product manufacturers which lasts a product’s lifetime.
In the U.S., the Federal Communications Commission recently approved a voluntary programme that allows manufacturers to display a U.S. cyber trust mark on products that meet the cybersecurity standards of the IoT Labelling Program.
Why it’s needed
Attackers are demonstrably trying to compromise IoT devices. For example, the recent variant of the P2Pinfect botnet discovered in December 2023 specifically targets web-enabled devices, routers and other embedded systems. This is just one of many examples of botnet malware, which is now easily available as open source via criminal forums.
Once infected, the IoT devices are integrated into the attackers' botnets via attack payloads, which are typically based on malware such as Mirai or Gafgyt, and then used for denial of service (DoS) attacks against attractive targets. In February, it was reported that millions of smart toothbrushes were thought to have been used in a dedicated DoS attack, resulting in millions of Euros losses for an unnamed Switzerland-based company.
The consequences of an attack on IoT components are difficult to predict and range from the infection of individual devices to the loss or destruction of sensitive personal data, to a complete failure of computer infrastructure, which paralyses the company and renders it unable to act. According to research by Forrester, 34 per cent of enterprises that fell victim to a breach via IoT devices faced higher cumulative breach costs than cyberattacks on non-IoT devices, ranging between $5 million and $10 million.
The biggest issue is that smart devices have typically been shipped with the same factory set default credentials across the whole product line that were either simple to guess credentials — the username and password combination such as ‘Admin’ and ‘12345’ — or an internet search yielded results that disclosed what the credential combination could be. At installation these default credentials were often left unchanged, making the device an open target. Bad actors roam the internet in search of devices that still have the factory default credentials. If discovered, it allows them to log in and use the device to access the local network or carry out cyberattacks. Default passwords combined with a lack of additional authentication security presents an own goal.
Another challenge with IoT devices is software flaws. Vulnerabilities are a fact of life and continue to be discovered. One concerning trend is that practically every vulnerability found in one device can affect a whole range of devices. For example, Tenable’s security analysts have identified a path traversal vulnerability in routers that allowed attackers to bypass authentication at the web interface to access other systems on the same home or corporate network. With most systems now using shared libraries, the researchers were subsequently able to detect the same vulnerability in the routers of at least 13 ISPs in 11 countries.
What will change
The majority of web-enabled devices have been designed with a focus on flexibility and functionality; in the eyes of many manufacturers, the security of the devices is only of secondary importance. Moving forwards, the PSTI Act forces manufacturers to consider the cybersecurity implications of the device during production and for its lifetime. Specifically:
- Devices will no longer be supplied with default passwords to prevent them being compromised. While this is welcome for new products, it would be remiss to ignore all those devices already in use around homes, offices and out in the wider world where default credentials remain unchanged.
- New vulnerabilities will continue to be discovered and organisations need to be able to update devices moving forward. While some devices can and will receive their updates automatically, too many still require manual user intervention for this critical step. The PSTI act means manufacturers must state the minimum length of time for which the device will receive important security updates.
- Security teams and researchers are actively testing IoT devices for potential vulnerabilities. Manufacturers must provide a point of contact for reporting security issues and work to close the gaps identified.
In principle, industry standards and legal regulations aimed at improving the protection of IoT devices when they are introduced and throughout the entire product lifecycle are, of course, welcome. But even if they are an important step in the right direction, they are not enough in themselves.
Companies should not be lulled into a false sense of security that they are optimally protected just because they have ticked the right boxes on the checklist. Each business and facility is responsible for defining and implementing secure processes to reliably protect their infrastructures - including IoT devices.
Anyone using IoT devices can’t ignore the risks of default credentials or an unpatched device. The only way to stay one step ahead of the attackers is to proactively identify where these exist in the environment and then take steps to change, update or eliminate them based on risk.