FOCUS: Why you need SBD’s Secure Connected Device accreditation

Connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating, environmental damage or electrical interference. They have not however been regulated to protect consumers from cyber harm such as loss of privacy and personal data. 

The Product Security and Telecommunications Infrastructure Act 

To close this regulatory gap, the Product Security and Telecommunications Infrastructure Act 2022, which seeks to address the issue of insecure technology, was enacted into law in December 2022.  Businesses will need to be compliant with PSTI Act from the 29th of April 2024. 

The Act requires manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers and provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape.

The new law applies to all consumer IoT products, including but not limited to:

• connected safety-relevant products such as smoke detectors and door locks
• connected home automation and alarm systems
• Internet of Things base stations and hubs to which multiple devices connect
• smart home assistants
• smartphones
• connected cameras
• connected fridges, washers, freezers, coffee machines

This legislation is absolutely critical, as in 2021 Which? undertook a study to look at how a smart home could be at risk from hackers, setting up their own smart home. This detected more than 12,000 scanning or hacking attempts in a single week! Without the appropriate levels of security, any internet connected device or app is at risk of being readable, recognisable, locatable, and/or controllable via the internet, thus providing cyber criminals with the ‘key’ in accessing and stealing personal data. This can then be used for a multitude of criminal purposes, including burglary, theft, blackmail, harassment and stalking.

Harassment & stalking 

When it comes to harassment and stalking for example, insecure technology can provide new opportunities for abusers to control, harass and stalk their victims. Examples of this include: 

• In 2018 a man was jailed for 11 months for IoT-related abuse after being found guilty of eavesdropping on his estranged wife through a microphone on a wall-mounted tablet used to control the heating, TV and lights in their home 

• In January 2022 a man was jailed after hacking into an 11-year-old’s webcam to spy on her whilst she showered and undressed 

• In January 2020 a man was jailed after he used the tool's capabilities to enable victims' webcams, but without activating the camera status LED. This allowed him to record videos and take screenshots while victims were unaware, including during intimate moments 

• In April 2022 a man was sentenced after accessing his ex-partner's CCTV system to spy on her in her own home, as well as letting himself into her home, during a stalking campaign 

• In April 2019 a man was sentenced and issued with a restraining order after he accessed the home security camera which his ex-partner used to check on her pets whilst out to spy on her 

• Security researchers found that the manufacturer of an IoT chastity cage had left an API exposed, (Application Programming Interface, which is a software intermediary that allows two applications to talk to each other), giving malicious hackers a chance to take control of the devices. That's exactly what happened, with a victim receiving a message from a hacker demanding a payment of 0.02 Bitcoin, which is currently around £445, to unlock the device. He realised his cage was definitely locked and he could not gain access to it. Fortunately for the victim, the device wasn’t locked in on himself 

Criminals are aware of the weakness within insecure technology and are more and more seeking to exploit it for their nefarious purposes. So much so in fact that in July 2022 a Brisbane teenager was arrested after building spyware that was being used by domestic violence perpetrators across the world. The teenager created and sold a sophisticated hacking tool which was being used by domestic violence perpetrators and child sex offenders to spy on tens of thousands of people across the world.

Left out in the cold

Residents of two apartment buildings in Lappeenranta city in southeast Finland were left in the cold after a DDoS (Distributed denial of service) attack knocked out their heating systems. The cyber-attack is believed to have lasted for nearly a week, starting in late October and ending in November. The attack temporarily disabled the computer systems that controlled the central heating and hot water distribution of both buildings. In an attempt to ward off the attacks and remain functional, the targeted systems went into an endless cycle of rebooting. This in turn resulted in the heating system being cut off, leaving residents with no heat and presumably, cold showers. If a similar attack was carried out on a larger scale, such as a whole city that is considered ‘smart’ and has similar systems with the same vulnerabilities, the consequences could be catastrophic, and you could leave a large population without heating or water. It’s one way to target citizens and weaken a country.

The cost of cyber crime 

Security minister Tom Tugendhat recently revealed that cyber hacked businesses each ended up £15,000 out of pocket, telling the CYBERUK Conference: “A quick look at the basic figures is enough to bring home the scale and severity of the issue we face. 

“New findings released just yesterday from the Cyber Security Breaches Survey show that 32% of businesses experienced at least one cyber breach in the last 12 months.  This year, for the first time, the survey also tells us how many of these breaches resulted in a cybercrime being committed”. 

He said sight must not be lost that there is a human victim behind each figure, adding “Each is a grandparent defrauded, and stripped of their savings. Each is a small business held to ransom, and jobs lost”. 

The Secure Connected Device accreditation 

The national police security initiative, Secured by Design (SBD), launched the Secure Connected Device accreditation scheme in 2022, developed in consultation with the Department for Digital, Culture, Media & Sport (DCMS), to help companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standard, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but protects themselves, their products and their customers.

The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD approved certification bodies. 

View from the expert

Michelle Kradolfer, the Police CPI Internet of Things Technical Officer, said: “Nowadays everything is more interconnected and devices you didn’t think could be “smart”, in fact are. No matter the function, consumers deserve to know that the devices and apps they are using are safe in every aspect. 

“It is vitally important to ensure that all IoT products have the right level of security in place to protect consumers and reduce the risk of them falling victim to cyber crime. Adverse publicity due to a cyber incident could be catastrophic to the reputation of the product and company. 

“Compliance with the ‘Secure Connected Device’ accreditation sends a clear message to the wider industry of the importance of IoT security and companies accredited to this new SBD standard will lead by example and be at the forefront of the IoT revolution and in doing so will help to keep their customers and the public safer from the risk of a cyber breach”. 

Find out more on SBD’s Secure Connected Device accreditation at www.securedbydesign.com/IoT