back to article GCHQ asks tech firms to pretty please make IoT devices secure

GCHQ has managed to convince HP Inc and Centrica Hive to take its side in a relatively rare public intervention on the state of consumer IoT security. A voluntary code of practice, to which the two companies have signed up, urges them to implement published standards and recommendations on how to bake security into IoT devices …

  1. Yet Another Anonymous coward Silver badge

    GCHQ has translated the code into different languages

    But not Belgian

    and some more text because it now blocks comments that only contain links

    1. Joe W Silver badge

      Re: GCHQ has translated the code into different languages

      Which one of the three official languages are you referring to?

  2. }{amis}{ Silver badge
    FAIL

    Internet of S%!£

    "GCHQ hopes that by getting large industry players on side, consumers will have less to worry about in future"

    I wish them luck but the bulk of IOT gear I've had the misfortune pleasure of encountering has come from brands so no-name that I struggled to locate a website for them leave out a patch for their products.

    Given that heavyweights like BMW can't even get the basics right a voluntary code of practice is a nonstarter.

    1. vir

      Re: Internet of S%!£

      And even if you get something with what seems to be a legitimate setup behind it, most of the time it's a rebadged piece of crap from some fly-by-night outfit. You can count yourself lucky if it doesn't shock you or burn your house down - nevermind any security concerns.

    2. Flywheel Silver badge
      Megaphone

      Re: Internet of S%!£

      What GCHQ could do is remotely shut down/disable all IoT devices with these vulnerabilities (after an official warning to the manufacturers of course). The resulting sh*tstorm and general howls of anguish from Jo Public would perhaps "encourage" the Supply Chain to stop selling crap in the first place.

  3. alain williams Silver badge

    GCHQ need a big stick

    This is one area where I wish the government will give GCHQ some strong powers to compel vendors to do as it says: make these things secure (but without any nice five eyes back-doors). The article contains phrases like ''GCHQ hopes'', which we all know means that vendors will do as little as possible, preferably nothing.

    The onus needs to be on UK manufacturers AND those who import foreign (== mainly Chinese) kit into this country.

    There also needs to be an onus to support these things for their *use* lifetime, not a lifetime defined as until-the-next-model-is-released. The entire code-base needs to be held in escrow and released Open Source once manufacturer updates cease to come. For some thing I can see a 'use lifetime' of 30 years or more (eg IoT light switches).

    This needs the backing of strong laws (that are actively enforced == big fines) otherwise it just will not happen. The cost of not doing this will be millions of tiny breaches.

    1. Yet Another Anonymous coward Silver badge

      Re: GCHQ need a big stick

      It might first think about splitting the responsibility for securing computers from the agency also responsible for breaking into them.

      GCHQ being in charge is like making bomber command responsible for the fire brigade.

    2. Anonymous Coward
      Anonymous Coward

      Re: GCHQ need a big stick

      "...make these things secure (but without any nice five eyes back-doors)"

      Your naivety is touching.

      Not sure you'll be quite as vocal with the severe punishment when the government decides to compel backdoors, but heh, they by then, they won't be taking much notice of pesky things like democracy.

  4. Teiwaz Silver badge

    Meanwhile, in another wing...

    Some security bod will issue a statement on concerns about 'things going dark'

  5. Stevie Silver badge

    Bah!

    All your automated production-line are belong to lightbulb in CEO's desk lamp.

  6. LeahroyNake Bronze badge

    IoT

    Please try to be consistent in articles when you use acronyms.

    Internet of Tat was not mentioned in this article but some bright spark pointed out that RDP meant Remote Desktop Protocol in the latest On Call episode. /sarc

    Why can't I see or use the icons any more ? :(

    1. tiggity Silver badge

      Re: IoT

      @LeahroyNake

      Are you blocking part of site content (e.g. images) and so either images blocked or possibly some .js code needed for icon add is blocked (CBA to check if any .js involved! )?

      To save bandwidth my mobile browser has image blocking on by default & so I cannot see reg icons on my mobe.

      IIRC icons disabled if posting as AC

  7. macjules Silver badge
    Thumb Down

    Hahaha!

    The use of open, peer-reviewed internet standards is strongly encouraged. Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers

    Good luck with that one guys. "Peer Review" with that lot usually means "Oops, I just Peed all over your standards. Soz about that"

    Devices and services should be configured such that personal data can easily be removed from them when there is a transfer of ownership, when the consumer wishes to delete it and/or when the consumer wishes to dispose of the device. Consumers should be given clear instructions on how to delete their personal data.

    Tried that one with JLR (Jaguar Landrover Rangerover) recently, have you? Thought not.

  8. Doctor Syntax Silver badge

    "One might think these were stating the bleedin’ obvious"

    No one might not. The bleedin' obvious is "If it costs us money and we can get away without doing it we won't do it". The way to fix IoT security is to make it impossible to get junk into the market place. Make it illegal to sell insecure devices and illegal to connect them to the internet with an obligation on ISPs to enforce the latter. If Joe Punter discovers that the £1 cheaper grey market device bricks his internet connection until he removes it he'll be a bit more careful where he spends his money in future.

    1. JohnFen Silver badge

      "with an obligation on ISPs to enforce the latter"

      NO!

      ISPs should not be analyzing my packets in an attempt to find these things (or for any other non-traffic-shaping purposes).

    2. Paul Crawford Silver badge

      Trying to get others (like the ISPs) involved will not end well.

      Simpler it to make the manufacturer and/or importer liable for GDPR-like fines for insecurity for the expected life of the product, which should be something like at least 5 years after last sold. With no exceptions.

      Security costs and marketer-driven additions are all more liabilities to the end user, make sure those implementing IoT are held responsible for that.

  9. redpawn Silver badge

    Shred them

    Mandatory standards of security should be required to import any such device. Non-complying devices should be confiscated and shredded at the border.

    1. Yet Another Anonymous coward Silver badge

      Re: Shred them

      Once we renationalise the post office and put it in charge of internet and telephones again it will be able to enforce the rules that only GPO approved 300baud modems can be connected. And with internet calls priced per minute you won't want your lightbulb calling up to the server very often

  10. Mike 16 Silver badge

    Mandatory Standards

    One must presume that any mandatory standards promulgated by GCHQ (or other five-eyes "security" agencies) will contain NOBUS (Nobody But Us) provisions. Secure from everybody but GCHQ and friends, where some friends are such bastions of freedom and decency as [redacted per security spec]

  11. JohnFen Silver badge

    A fantastic idea

    “minimise exposed attack surfaces”

    This is a fantastic idea which should be implemented immediately by no longer requiring interaction with the cloud in order to use these things.

  12. Anonymous Coward
    Anonymous Coward

    Step 1 - Just stop phoning home every minute

    Why? Jusy why does an effing [insert device of your choice] need to contact the makers server?

    And if you block the phoning home at your firewall, the sodding thing stops working.

    IoT is a huge pile of stinking dog pooh mixed with rotten sick and the run off from 1,000,000 rotting corpses.

    1. Anonymous Coward
      Anonymous Coward

      Re: Step 1 - Just stop phoning home every minute

      Seriously - a down vote? Explain yourself.

      1. Anonymous Coward
        Anonymous Coward

        "1,000,000 rotting corpses"

        [citation needed]

  13. Stork Silver badge

    I am old

    I have not yet worked out why I want IoT and a connected car and so on

    1. Is It Me Bronze badge

      Re: I am old

      As you get older you might find some of the IoT things begin to make more sense.

      If you have limited mobility being able to set the light levels in the room from a remote control or tablet will make your life easier.

      Same with being able to control the temperature of the room your are in, or the room you will be going to next.

      The devices shouldn't need an internet connection to be able to do this, but having one can make life easier too. For an example of having the internet connection as an extra look at the Z-Wave controllers, most of them work locally but give the option of connecting through the controller manufacturers website to work externally.

    2. Anonymous Coward
      Anonymous Coward

      Re: I am old

      Presumably, when the time comes, you won't have a choice about a connected car. Security upgrades will be mandatory or you become an outlaw.

      That your car can be hacked as a result of linking to the internet will probably be seen as collateral damage.

      They can't even make PCs secure -what hope do they have of succeeding with cars?

      eg: https://thehackernews.com/2018/05/bmw-smart-car-hacking.html

  14. joed

    GCHQ asks vendors not to make IoT too secure

    and have a backdoor in place for the good guys

  15. DougS Silver badge
    Black Helicopters

    Do they really want secure devices?

    I think spy agencies give lip service to this - mostly because of government or government contractors using insecure devices so they want them to be able to become secure. In reality they'd be happy if everyone has an Alexa or Google Home they can hack into and easily listen in on what people are talking about, that businesses all have vulnerable Chinese CCTV cameras they can hack into and watch what's going on.

    I think the spy agencies all watch modern movies and TV shows that give the impression that government departments all have an uber hacker at their disposal who can track suspects by hacking into pretty much any electronic device in 30 seconds while Jack Bauer or M stands over their shoulders impatiently waiting for the results so they know their next move. They're jealous!

  16. sanmigueelbeer Silver badge
    Stop

    And about vendors who don't "volunteer"? Will they be able to sell their craps?

  17. Cuddles Silver badge

    Voluntary

    Security was already voluntary for everyone involved making IoT crap. What exactly does telling everyone it's still voluntary achieve?

  18. David Roberts Silver badge
    Trollface

    Cynical, moi?

    "Industry 4.0, in which the vision is that traditionally profitable manufacturing industries will give their profits to a tech sector desperately scrabbling to find the Next Big Thing and hoping that industrial sensors might be the jackpot."

    Possibly the author is not fully enthused by this?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019