Explore PETRAS's research knowledge base of peer reviewed, multidisciplinary publications.
1. Burton, Saheli Datta; Tanczer, Leonie Maria; Vasudevan, Srinidhi; Hailes, Stephen; Carr, Madeline: The UK Code of Practice for Consumer IoT Cybersecurity: where we are and what next. 2021. (Type: report | Abstract | Links | BibTeX | Altmetric) @report{burton_uk_2021,
title = {The UK Code of Practice for Consumer IoT Cybersecurity: where we are and what next},
author = {Saheli Datta Burton and Leonie Maria Tanczer and Srinidhi Vasudevan and Stephen Hailes and Madeline Carr},
url = {https://discovery.ucl.ac.uk/id/eprint/10117734},
doi = {10.14324/000.rp.10117734},
year = {2021},
date = {2021-04-07},
institution = {PETRAS National Centre of Excellence for IoT Systems Cybersecurity and UCL and Department for Digital, Culture, Media \& Sport: London, UK},
abstract = {The Internet of Things (IoT) is emerging quickly in a range of consumer markets from toys to fitness (or wellness) devices to household appliances. These hold great promise for enhancing people's lives, improving our health and well-being, and streamlining or automating a range of daily functions. They also, however, introduce a range of risks including external manipulation, data breaches, surveillance, and physical harm. While consumer devices are often subject to regulation, standards or codes, these have not previously incorporated the new challenges and risks that arise in IoT consumer devices. The UK has been proactive in considering how current regulatory frameworks, best practices, guidance, and other resources can support the uptake of innovations in consumer IoT devices in a safe and secure way. Through the PETRAS Cybersecurity of the Internet of Things research hub - now the National Centre of Excellence for IoT Systems Cybersecurity, we have worked to support DCMS to develop the Code of Practice for IoT Security (CoP). Seeing this work, alongside the significant contributions from multiple stakeholders, including industry, governments and civil society, contribute to the development of an ETSI Standard was exciting and a real demonstration of the value of interdisciplinary academic teams working closely with industry and policy makers to bring about positive change. This work is not complete though. Adapting the standards, governance and policy of emerging technologies is an iterative process that requires constant reflection, evaluation, analysis and reconsideration as both the implementations develop and as our use (or misuse) of them evolves. This report picks out three issues that we feel require urgent consideration. • The use of IoT devices by perpetrators of domestic abuse is a pressing and deeply concerning problem that is largely hidden from view. Collecting data (and therefore evidence) on this is challenging for a number of reasons outlined in this section by Leonie Tanczer. There are concrete steps that both industry and the policy community could take to address the misuse of consumer IoT in this setting and we include a number of these as well as lessons from other countries. • Fitness devices are also raising concerns as they have proven easy to compromise and they reveal deeply personal information about people's bodies, their homes and their movements. While IoT medical devices are regulated, there is a grey zone between these and fitness devices that results in a regulatory gap. Saheli Datta Burton has compared these two classes of devices, the ways they are vulnerable, the ways they are used, and the steps that could further secure fitness devices for the consumer market. • Finally, children's IoT connected toys are coming under necessary scrutiny due to the implications of embedded cameras and microphones for a child's (or parent's) protection and right to privacy. These connected toys have the potential for misuse and unauthorised contact with vulnerable minors. The British Toy and Hobby Association has responded to this by offering a range of guidance notes and by interpreting the CoP but with SMEs making up the bulk of IoCT manufacturing, there is plenty more to be done to ensure that these organisations are sufficiently informed and equipped to avoid producing and marketing insecure toys. This report highlights how a weak supply-side commitment to basic cybersecurity requirements in IoT manufacturing such as inbuilt encryption, password protection before distribution, user authentication (e.g., multi-factor authentication), regular audits and assessments exacerbates the plight of domestic 'tech abuse' victims, users of fitness devices, children, and their families. A complexity of shared technological, socio-ethical, regulatory and economic imperatives with some sector-specific nuances are at the heart of low-security manufacturing across sectors. In addition to this work, our report also provides insight into how widely the UK CoP has spread since its publication in March 2018, especially its rapid development (with significant contributions of various stakeholders including industry, governments and civil society) to a technical specification (TS 103 645 in February 2019) and, recently, the ETSI EN 303 645 in June 2020. While these developments might be expected to lead to widespread adoption of related secure manufacturing practices in the EU, the infographics we provide demonstrate how widely the standards are being discussed and taken up. Tracking this is, in itself, a useful exercise as it allow us to better understand how technical standards are socialised through diverse stakeholder groups. This report is certainly not the final word on the intersection between consumer IoT and policy responses. Nor will this be the last time we return to this work. But it is an update on where we are now and where we feel we need to be heading. Developing effective policies, regulations, standards, and guidance to protect citizens and to support service providers and manufacturers in the IoT is a challenging task that calls for input from many quarters. We are delighted that we have been able to make this contribution through PETRAS and sincerely thank all of those who have read and provided feedback on it.},
keywords = {},
pubstate = {published},
tppubtype = {report}
}