In October 2018, the UK Government published a Code of Practice for Consumer IoT (Internet of Things) Security. This paper provides guidance for the consumer regarding Internet-connected or smart devices, such as smart door locks and windows, in the home. On 29 April 2024, the Government’s Product Security and Telecommunications Infrastructure Act 2022 came into force, which means it is now law and that all businesses involved in the supply chain of these products must comply with the legislation.
What is the Internet of Things (IoT)?
IoT stands for the ‘Internet of Things’, which refers to traditionally offline items now connected to the Internet via software and sensors. Being connected to the Internet exposes you to potential cybercrime as you provide personal and sensitive data to businesses to which you will have no tangible connection.
Due to security concerns regarding data leaks and privacy concerns, the Government’s Code of Practice provides guidance and support for companies involved in designing, manufacturing, and retailing products with an internet connection to ensure consumers’ data is safe.
What does the Internet of Things (IoT) have to do with smart door locks and windows?
The Internet of Things (IoT) for windows and doors includes smart door locks, either with a fob or fingerprint opening for doors, window locks and sensors for automatic opening and closing, and smart glass.
What are the benefits of smart door locks and windows?
The benefits of integrating smart door looks and windows include enhanced security, energy efficiency and convenience.
With smart door locks, which are either keypad, fingerprint or voice-controlled, you can be notified by a smartphone app when your doors and windows are open and closed, which helps with security. You can even let someone into your home without the need to be there, and monitor when they arrive and leave.
Windows and roof windows can automatically open or close to regulate internal temperature as a ‘weather control panel’ function for conservatories and glazed extensions. When it rains, the roof windows can be automatically closed.
The benefits of smart windows, also known as smart glass, are that they adjust their tint based on the amount of sun, which reduces glare, provides UV protection, and can help maintain a constant internal temperature, improving energy efficiency in the home. Smart glass can be switched from transparent to opaque to provide privacy when required without the need for blinds or curtains.
What security concerns are associated with smart door looks and windows?
The obvious risk with the installation of ‘smart’ technology products in your home is that you provide access and information to businesses you usually would never consider -you would never give a stranger a set of keys to your home!
The personal and private data you provide can be used, accessed without your authority, stolen, and then misused. Some smart devices can also track your movements, knowing when you ‘are’ not home.
When you purchase the Internet of Things for windows and doors, you want peace of mind that the businesses behind the software and the Internet provider keep your personal data safe. This is where the government’s Code of Practice guidelines aim to protect the consumer.
What is the IoT Code of Practice guidelines?
In October 2018, the UK Government published a Code of Practice with thirteen guidelines for consumer IoT security aimed at manufacturers; here are three of the most appropriate ones that the consumer can relate to:
- No default passwords. Devices should not have universal default passwords, which are expected to be changed by the consumer. The passwords must be unique.
- Implement a vulnerability disclosure policy. The internet-connected provider must provide a public point of contact so that issues can be reported.
- Make installation and maintenance of devices easy. Consumers should be provided with easy-to-read, easy-to-understand instructions which are easy to implement and keep securely updated to reduce their exposure to threats.
Others include keeping software updated, securely storing personal data and ensuring the continuation of Internet services without outages.
In June 2020, the European Standards Organisation (ETSI) published the ETSI European Standard 303 645, establishing a global security baseline for Internet-connected consumer devices. This standard provides a basis for IoT product certification schemes.
In October 2022, the UK Government passed the Product Security and Telecommunications Infrastructure Act 2022, which is “a bill to make provision about the security of internet-connectable products and products capable of connecting to such products; to make provision about electronic communications infrastructure; and for connected purposes.” This means it is now law. https://bills.parliament.uk/bills/3069
On 29 April 2024, the Government’s Product Security and Telecommunications Infrastructure Act 2022 came into force, which means that all businesses involved in the supply chain of these products now need to be compliant with the legislation.
How can I check if my smart door locks and windows comply with the IoT code of conduct?
You can follow some general guidelines to check if your smart door locks and windows comply with relevant IoT regulations.
Familiarise yourself with the basic UK government Code of Practice so you can ask the right questions of your door and window supplier providing the smart door locks and windows.
You can seek verification from a reputable organisation that the device complies with the legislation.
Secured by Design (SBD), the official police security initiative, operates a scheme called Secure Connected Device (SCD) accreditation for products that have met recognised security standards and are the most thorough of schemes.
Their scheme’s aim is to reduce the risk of a security breach by testing them to ensure they have been built to the required security standards. They advise the manufacturer of the IoT product on how to obtain independent third-party testing, and once these have been achieved successfully, the company is listed as accredited.
You can find a list of products which have achieved the SCD accreditation on the SBD website.
The IoT Security Foundation has a list of members who join for expert IoT advice and best practices. As part of the membership, they have access to publications on how to comply with the Product Security and Telecommunications Infrastructure Act 2022. Being a member does not mean the product has been independently accessed, such as the SBD accreditation, just that they are actively involved and aware.
Both SBD and the IoT Security Foundation supply a badge that can be displayed on the company’s website. Never assume that just because a business shows the badge that they comply or are a member; check back on the SBD and the IoT Security Foundation websites that the manufacturer is listed. It is also wise to check the manufacturer’s website for its vulnerability disclosure policy, listed as number two in the UK government Code of Practice, and save a copy.
For an example of how the Internet of Things will look like in the future, take a read of this article regarding The Digital Future of Windows.
SBD also provide a detailed checklist of IoT Cyber Security Advice.
If you would like some help and advice to select a supplier and installer of smart door locks and windows, please get in touch.
Images Courtesy of Mighton Products, leading hardware suppliers for windows and doors in all materials.
