“Security is not the main focus…and cyber criminals are having a field day”
Michelle Kradolfer, Secured by Design’s Internet of Things (IoT) Technical Officer has highlighted how IoT connected products are being targeted by cyber criminals, and the steps that can be taken to mitigate the threat that these devices pose.
Addressing delegates at the 2023 Secured by Design (SBD) ATLAS national training conference and exhibition, Michelle explained that the threat was ever increasing, with the average UK household now having over 10 internet connected devices, with many of these products being produced without security being a major consideration.
“Security is not the main focus…and cyber criminals are having a field day” she said, “There were around 1.51 billion attacks made on IoT devices in the first half of 2021. The risk is great and it can affect a lot of different people in many different ways”.
Citing four products – a fish tank, a tablet/iPad, a chastity belt for men and a heating system – she posed the question as to what all four had in common. “All have features that can enhance people’s lives and all have sensors, software and other technologies within them that allow them to connect with another device, app, platform or cloud storage and to communicate or transfer data in any way.
“By doing that they’re using the internet, be it by Wi-Fi or mobile networks” Michelle continued, “and all four aforementioned products have been used to facilitate a cyber attack or breach, either as the intended target or as a conduit.
“A smart thermostat in a fish tank was hacked and used as entry way to access a casino’s database of ‘high rollers’ containing personal and financial information; a man was jailed for IoT-related abuse after being found guilty of eavesdropping on his estranged wife through a microphone on a wall-mounted tablet used to control the heating and lights in their home; malicious hackers took control of a man’s IoT Chastity Belt demanding a payment of 0.02 Bitcoin to unlock the device, which thankfully he wasn’t wearing at the time, and a residential building in Finland suffered a cyberattack on their smart heating system, causing the warm water and heating to be shut off for a week during the winter months”.
Government legislation & the SCD accreditation
After highlighting the threat landscape, Michelle spoke about how the SBD Secure Connected Device accreditation is supporting the government with IoT Security in the UK.
“The Product Security and Telecommunications Infrastructure Act 2022 received Royal Assent on 6th December 2022 and was enacted into law. It requires manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers.
“SBD launched the Secure Connected Device accreditation scheme in 2022 in response to this pending legislation, coupled with a growing demand from industry and current members seeking to gain SBD accreditation for IoT products.
“The SBD Secure Connected Device accreditation scheme, developed in consultation with the Department for Digital, Culture, Media & Sport (DCMS), helps companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standard, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but protects them, their products and customers.
“The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of our SBD approved certification bodies. Once third-party testing and independent certification for a product has been achieved, the company can apply to become SBD members, with the product receiving the SBD’s Secure Connected Device accreditation, a unique and recognisable accreditation that will highlight products as having achieved the relevant IoT standards and certification”.
Why is this legislation & the SCD accreditation important?
Michelle continued “The risk of a cyber attack or breach against an IoT device can be reduced as SCD accredited devices have been tested to ensure they have been built to the required security standards. The Secure Connected Device accreditation is the only way for companies to obtain police recognition for the security of their IoT products in the UK.
“SBD continually monitor national crime trends to keep pace with changing patterns of criminal behaviour and new technology, ensuring that standards are updated to reflect these changes.
“Without the appropriate levels of security, any internet connected device or app is at risk of providing cyber criminals with a key to enable them to access and steal personal data. It is therefore vitally important to ensure that all IoT products have the right level of security in place to protect consumers and reduce the risk of them falling victim to cyber crime.
“This new SBD standard will lead by example and be at the forefront of the IoT revolution and in doing so will help to keep their customers and the public safer from the risk of a cyber breach”.