Digital Guardianship: Keeping Your Smart Devices in Check 

On the 29th April, 2024, the UK introduced a series of new laws to protect smart device users. Hailed as the first of their kind, these laws seize the momentum gathered by the Product Security and Telecommunications Infrastructure Act (PSTI Act, 2022). 

These laws will mean that any manufacturers of smart products must adhere to a minimum-security standard, or face prosecution. But what do we mean by ‘smart’ devices? How will they be safer? Who should care about them, and why? 

What is A Smart Device? 

A Sunday Times report from 2016 observed that more than half of the adult population own at least one smart device. They are electronic objects that can connect, share and interact with a user or device. Evidently, many devices fall into this category.   

Understanding which devices are considered ‘smart’ helps identify how appealing they are as a target to malicious actors. But it’s not just personal usage we need to think about. Many businesses use smart devices, often without realising it. 

In August 2016, the Mirai Botnet left a significant mark on the cybersecurity industry, having been involved in some of the most disruptive distributed denial of service (DDoS) attacks. It’s reported to have predominately exploited smart devices in the Internet of Things (IoT) domain.  The main victim of this attack was Dyn, a Domain Name System (DNS) service provider. This botnet managed to spread through an estimated 100,000 endpoints. Whilst many botnet attacks are made of computers, this attack was primarily made of IoT devices, reportedly due to their relatively low-level of security and preventative measures. 

Ring Home also reported an exploitation of devices, resulting in hackers gaining access to live feeds of home monitoring solutions. Reports conclude that the malicious actors managed to exploit a variety of weak, recycled and default usernames and passwords. 

Even healthcare providers aren’t safe – in 2017, St Jude Medical facility (USA) had been providing patients with implanted cardiac devices susceptible to attacks, as confirmed by The Food and Drug Administration (FDA). Devices, including pacemakers and defibrillators, contained vulnerabilities relating to the transmitter, communicating from the device to medical physicians.  

How Will the New Laws Make Smart Devices Safer? 

Previously, any manufacturer selling smart devices in the UK have been able to pay lip service to security. These laws will change that. Whilst there are still many ways to increase security, the laws cover fundamentals that will help in the short term, such as: 

• Banning default passwords: passwords that devices are already programmed with. Many manufacturers share one password for every device in that range, which may be printed onto the packaging, or worse, publicly advertised on websites and help forums. 

• Support Lifespan: Manufacturers and retailers will have to be open with consumers regarding the minimum time they can expect to receive security updates. Many people aren't necessarily aware that devices (car, watch, phone, etc) receive update as new threats are identified. However, there’s always an expected time that this support will no longer be provided. This isn’t necessarily communicated to users. 

• Contact Details: Manufacturers will have to publish contact details so bugs and issues can be dealt with.   

Who Cares About Smart Devices? 

Everyone should; smart devices are used in every aspect of society. Whilst most of the media’s coverage focuses on consumer implications, organisations should also use this momentum to consider vulnerabilities. 

What Should I Do to Secure My Business? 

Understand Your Environment: If you don’t yet have a comprehensive list of assets that are connected to your environment, your first task should be to collate one. If you’re unsure, or don’t have full confidence in your list, engage a third party to help you. Cyro Cyber have experts harnessing the leading tools throughout the security industry to identify every connected device in your environment. 

Identify Device Purpose: Once you know what you have, work out why you have it. You may have legacy devices within your network, collecting data without purpose. Perhaps you have a smart TV in your boardroom, or a legacy device monitoring the levels of chemicals in your water treatment plant. Every device is a door into your environment. 

Lock Your Doors: Your list will tell you what assets you have and why. Now, you need to protect them. At the time of implementation, a specialist should have taken steps to protect every device - changing the default password, removing its presence from being openly discoverable on your network, etc. If you find that device still being identified on the network with a default username or password, change them immediately.  Cyro Cyber are available to all customers wishing to understand any residual risk from this stage. If you discover that you have metaphorical doors ‘open’, our specialist consultants can help investigate for how long and to what degree you may have been exposed. 

Hold the Door: A malicious actor will try to enter through the door, their methods ever more sophisticated. Fortunately, sophisticated vulnerability management programs can ensure the greatest degree of protection. An even better step would be to engage a SIEM or SOC provider that can monitor all endpoints and alert you when a malicious actor tries to get in.  

Conclusion 

Whilst the introduction of this legislation may create a greater focus on security related information, it’s unlikely that it will do enough to ‘protect’ our devices. This is especially true for businesses that often don’t have someone accountable for ensuring secure device deployment. Ultimately, though, the introduction of legislation in the UK is a welcome change for many. 

________________________________________________________________________________________________________________________________

Author: Peter Lane, Principal Information Assurance Consultant, Cyro Cyber 

Cyro's decades of combined experience can help understand and implement and test the necessary controls to satisfy the regulators whilst improving the end goal of protecting your data to avoid the potential impact of breach costing in fines and reputational damage. 

Drop us a line to discuss your compliance challenges: peter.lane@cyro.uk