One of Apple’s key goals with HomeKit was to make smart home devices secure. The UK government has announced it wants to play its part in achieving the same thing by requiring all devices to meet three simple security requirements…
The requirements are pretty basic.
- All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
- Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online
The government is perhaps overselling the benefits.
Digital Minister Matt Warman said: “We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology. Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
All the same, even preventing the use of default passwords is a lot better than nothing. There are a huge number of network cameras out there, for example, with default passwords which many owners don’t bother to change.
Engadget reports that we shouldn’t expect anything to happen overnight, however.
The government says it’s planning on implementing the law as soon as possible, although it will first be run on a voluntary basis while officials observe its effectiveness. The government also says that it is now working on developing these rules further in a way that “supports the long term growth of the IoT,” and plans to work with international partners to help “drive a consistent, global approach to IoT security.”
Apple’s HomeKit protocol aims to make smart home devices secure by addressing security at a more fundamental level. Devices and whatever hub is controlling them (be it a manufacturer bridge or an Apple TV, HomePod or iPad in hub mode) must use encrypted communications. The hub must ensure that the device is a certified one before sending it a command, and the device must check that the hub is certified before obeying it.