A guide to buying internet-connected items this Christmas
As the festive season approaches, many of us are on the lookout for the perfect gift for our loved ones.
The internet of things or IoT is a term used to describe the growing array of items that connect to the internet. A consumer IoT device is any product or device for personal use that can connect to the internet; these are also called connected devices or ‘smart’ devices. From smart speakers like Google Home and Amazon Echo to wearables such as Fitbit and Apple Watch, smart TVs, kitchen appliances, doorbells, and even toys with voice or image recognition, the options are endless.
The connected device allows the user to control its functions from an app on their phone or computer and this enables them to remotely access and control the device in their home from anywhere they have an internet connection.
Understanding IoT device security
IoT or smart devices can make our lives easier and more connected, yet, they also pose security and privacy risks. Many internet-connected devices can collect personal data, including audio and visual data, they may be connected to by unauthorised individuals who can access your camera, microphone or GPS activity tracker or hijacked by criminals for malicious uses.
UK legislation and IoT security
To combat these threats, the UK took the pioneering step to become one of the leading countries in the world to legally enforce cyber security standards for IoT devices. The Product Security and Telecommunications Infrastructure (PSTI) Act 2022 mandates that all consumer smart products must have minimum cyber security requirements based on the leading global technical standard in IoT security, ETSI EN 303 645 standard.
These requirements are:
Consumer IoT devices must not have universal default passwords. This rule makes it harder for criminals to hack into connected devices.
Consumer IoT devices must have a vulnerability disclosure policy. This means that any faults that are discovered in the software (which could be used by a criminal to access the device) after the product is in use, can be addressed in an organised way.
Consumer IoT devices must disclose the duration for which they will receive software updates. This means that software updates are created and released to maintain the security of the device throughout its declared lifespan.
The PSTI Act is a comprehensive piece of legislation that affects the entire IoT supply chain in the UK. This includes manufacturers, importers, and distributors, whether they produce IoT products within the UK or make them available to the UK market. The goal of the PSTI Act is to enhance the security of smart products and, over time, it is expected to phase out the presence of low-cost, insecure devices from the UK market.
However, the PSTI Act is relatively new, having only come into full force in April of this year. As a result, the market is currently still saturated with an abundance of inexpensive connected devices and toys. Many of these products may not comply with the new regulations, potentially featuring default passwords and insecure components from third-party suppliers.
Follow our guide below to ensure your new device is both smart and secure.
Tips for secure internet-connected device gifts
Check for Internet Connectivity: Sometimes you are buying a gift such as a toy or household item that you did not realise connects to the internet. Verify if the device requires internet access and understand the implications.
Do Your Research: Read reviews and blogs to understand the product and its security features.
Read Instructions: When you first unpack your new IoT device, look for the manufacturers documentation.
Check Apps and Settings: In order to use most internet-connected devices, you’ll need to download an app. Turn off any default settings such as GPS location tracking, public WiFi and camera or chat access.
Check your data privacy settings: Consider carefully how much of your personal information you share with the device. If there are privacy options and functions, use them to limit how your data is stored or shared.
Set good Passwords: If your device needs a password, use a strong, unique password (of at least 12 characters) for each device and account. Also, use a password to protect your home WiFi network and TV settings.
Enable Two Factor Authentication: You should check to see if you can set up two-factor authentication (2FA) on your device. This is a process where you are required to give a code (often sent as a text message to your mobile phone or by using an authenticator app) in addition to a password. This ensures that other people cannot access your device from the internet with just your password.
Install software updates or turn on automatic update: It is important to keep your device updated which enables the manufacturer to address any faults that have been discovered in the software. All software updates should be installed as soon as possible, and to make that easier, it is recommended that you switch on automatic updates if available.
Turn off features that you do not need. To limit the options that hackers have to find ways to attack your device, turn off or disable any features that you do not need and use on your device.
Switch Off Unused Devices: Turn off devices that are not in use to prevent unnecessary data collection.
Set Up Parental Controls: Set up accounts for children with parental controls so that they can only access age-appropriate content.
Certification: Look out for a badge of trust on product packaging indicating that the product has been certified to a cyber security scheme and complies with UK legislation.
IASME IoT Cyber certification allows manufacturers to demonstrate to their customers the security of their internet-connected devices. When you see the IASME IoT Cyber scheme badge displayed on a device, it will reassure you that the device has the most important security features and complies with UK law.
As you embark on your Christmas shopping, remember that the security of IoT devices is as important as their functionality. Look for the IASME IoT Cyber badge or similar certifications to ensure that you’re gifting not just a smart device, but also peace of mind.
For more information on IoT security certification, get in touch with IASME at [email protected] and stay updated by following the scheme on LinkedIn.