Businesses must act now to comply with Product Security and Telecommunications Infrastructure Act. Secured by Design (SBD) National Manager and Secure Connected Devices accreditation lead, Michelle Kradolfer explains why. 

The Internet of Things (IoT) collectively refers to any electronic smart device equipped with sensors and internet connectivity that can action, collect, store and share data.  

Whilst consumer connectable products offer huge benefits for people and businesses to live better connected lives with a lower carbon footprint, the adoption of cyber security requirements within these products is poor.

Consumers overwhelmingly assume that these products are secure, however, whilst connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating, environmental damage or electrical interference, they have not until very recently been regulated to protect consumers from cyber harm such as loss of privacy and personal data. 

To close this regulatory gap and to address the issue of insecure technology, the government drew up the Product Security and Telecommunications Infrastructure Act 2022, which was enacted into law in December 2022. 

Businesses were then given a grace period with which to become compliant with the Act, with compliance required by the 29th of April 2024. 

The Act requires manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to connectable products that are available to consumers in the UK and provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape. 

So why is this law so critical? 

The use of IoT devices has proliferated recently and so have attacks from those intent on exploiting the vulnerabilities in these devices.  

In 2021 the consumer magazine Which? undertook a study to look at how a smart home could be at risk from hackers, setting up their own smart home.

This detected more than 12,000 scanning or hacking attempts in a single week!

Without the appropriate levels of security, any internet connected device or app is at risk of being readable, recognisable, locatable, and/or controllable via the internet, thus providing cyber criminals with the ‘key’ in accessing and stealing personal data.

This can then be used for a multitude of criminal purposes, including burglary, theft, blackmail, harassment and stalking. 

In April 2023, UK Security Minister Tom Tugendhat revealed that cyber hacked businesses each ended up £15,000 out of pocket, telling the CYBERUK Conference: “A quick look at the basic figures is enough to bring home the scale and severity of the issue we face. 

“New findings released just yesterday from the Cyber Security Breaches Survey show that 32% of businesses experienced at least one cyber breach in the last 12 months. This year, for the first time, the survey also tells us how many of these breaches resulted in a cybercrime being committed”. He said sight must not be lost that there is a human victim behind each figure, adding “Each is a grandparent defrauded and stripped of their savings. Each is a small business held to ransom and jobs lost”. 

Harassment, stalking and domestic abuse 

The BBC has reported how IoT devices are being used to facilitate domestic abuse and when it comes to harassment and stalking for example, insecure technology can provide new opportunities for abusers to control, harass and stalk their victims. Examples of this include: 

• In 2018 a man was jailed for 11 months for IoT-related abuse after being found guilty of eavesdropping on his estranged wife through a microphone on a wall-mounted tablet used to control the heating, TV and lights in their home 

• In January 2022 a man was jailed after hacking into an 11-year-old’s webcam to spy on her whilst she showered and undressed  

• In January 2020 a man was jailed after he used the tool’s capabilities to enable victims’ webcams, but without activating the camera status LED. This allowed him to record videos and take screenshots while victims were unaware, including during intimate moments 

• In April 2022 a man was sentenced after accessing his ex-partner’s CCTV system to spy on her in her own home, as well as letting himself into her home, during a stalking campaign  

• In April 2019 a man was sentenced and issued with a restraining order after he accessed the home security camera which his ex-partner used to check on her pets whilst out to spy on her 

• Security researchers found that the manufacturer of an IoT chastity cage had left an API exposed, (Application Programming Interface, which is a software intermediary that allows two applications to talk to each other), giving malicious hackers a chance to take control of the devices. That’s exactly what happened, with a victim receiving a message from a hacker demanding a payment of 0.02 Bitcoin, which is currently around £445, to unlock the device. He realised his cage was definitely locked and he could not gain access to it. Fortunately for the victim, the device wasn’t locked in on himself 

In July 2022 a Brisbane teenager was arrested after building spyware that was being used by domestic violence perpetrators across the world.

The teenager created and sold a sophisticated hacking tool which was being used by domestic violence perpetrators and child sex offenders to spy on tens of thousands of people across the world. 

Left out in the cold 

Residents of two apartment buildings in Lappeenranta city in southeast Finland were left in the cold after a DDoS (Distributed denial of service) attack knocked out their heating systems.

The cyber-attack is believed to have lasted for nearly a week, starting in late October and ending in November.

The attack temporarily disabled the computer systems that controlled the central heating and hot water distribution of both buildings.

In an attempt to ward off the attacks and remain functional, the targeted systems went into an endless cycle of rebooting.

This in turn resulted in the heating system being cut off, leaving residents with no heat and presumably, cold showers.

If a similar attack was carried out on a larger scale, such as a whole city that is considered ‘smart’ and has similar systems with the same vulnerabilities, the consequences could be catastrophic and you could leave a large population without heating or water. It’s one way to target citizens and weaken a country. 

What does the law cover? 

The Product Security and Telecommunications Infrastructure Act applies to all consumer IoT products, including but not limited to: 

• connected safety-relevant products such as door locks 

• connected home automation and alarm systems 

• Internet of Things base stations and hubs to which multiple devices connect 

• smart home assistants 

• smartphones 

• smoke detectors 

• connected cameras 

• connected fridges, washers, freezers, coffee machines 

What does the law require?   

The Product Security and Telecommunications Infrastructure Act covers the following three main security features: 

• Consumer IoT devices will not be allowed to have universal default passwords 
  This makes it easier for consumers to configure their devices securely to prevent them being hacked by cyber criminals 
   

• Consumer IoT devices will have to have a vulnerability disclosure policy  
  This means manufacturers must have a plan for how to deal with weaknesses in software which means it’s more likely that such weaknesses will be addressed properly 
   

• Consumer IoT devices will need to disclose how long they will receive software updates 
  This means that software updates are created and released to maintain the security of the device throughout its declared lifespan 

These minimum security requirements contained within the law are based on the UK’s Code of Practice for Consumer IoT security, the leading global standard for consumer IoT security ETSI EN 303 645, and on advice from the UK’s technical authority for cyber threats, the National Cyber Security Centre.  

The regime will also ensure other businesses in the supply chains of these products play their role in preventing insecure consumer products from being sold to UK consumers and businesses. 

What are the penalties for not complying with the law? 

The robust regulatory framework within the law contains an enforcement regime with civil and criminal sanctions aimed at preventing insecure products being made available on the UK market within it.

This enforcement regime enables the government to take a range of actions against companies that are not compliant with the law. This includes: 

• Enforcement Notices: Compliance notices, Stop notices and Recall notices 

• Monetary penalties: the greater of £10 million or 4% of the company’s qualifying worldwide revenue  

• Forfeiture: of stock which is in the possession or control of any manufacturer, importer or distributor of the products, or an authorised representative 

What needs to be done? 

Businesses who produce or supply IoT connected products need to ensure that they are sighted on this law and have taken the appropriate steps to ensure that they are compliant with its requirements. 

Just to repeat, the compliance date was 29^th April 2024. 

Find out more about the Product Security and Telecommunications Infrastructure Act and how SBD’s Secure Connected Device accreditation can help with compliance at www.securedbydesign.com/IoT. 

This article was originally published in the July Edition of Security Journal UK. To read your FREE digital edition, click here.