How the Product Security and Telecommunications Infrastructure Act protects you from abusers
The security within connectable consumer products is poor, with only basic measures provided. But consumers overwhelmingly assume that these products are secure. The new Product Security and Telecommunications Infrastructure Act aims to address this.
The Product Security and Telecommunications Infrastructure Act 2022, which seeks to address the issue of insecure technology, was enacted into law having received Royal Assent in December 2022. This is excellent news for a whole range of reasons, including one that is often overlooked – namely that insecure technology can provide opportunities for abusers to control, harass and stalk their victims.
The pros and cons of consumer connectable products
Consumer connectable products offer huge benefits for people and businesses to live better connected lives with a lower carbon footprint. It is a rapidly growing area of emerging technology: forecasts suggest that there could be up to 75 billion connectable products worldwide by 2025, and on average there are over 10 in each UK household.
However, the adoption of cyber security requirements within these products is poor, and while only 1 in 5 manufacturers embed basic security requirements in consumer connectable products, consumers overwhelmingly assume that these products are secure.
Whilst connectable consumer products have previously had to comply with existing regulation to ensure that they will not directly cause physical harm from issues such as overheating, environmental damage or electrical interference, they have not been regulated to protect consumers from cyber harm such as loss of privacy and personal data. To close this regulatory gap, the Product Security and Telecommunications Infrastructure Act 2022 was introduced.
The requirements and scope of the new Act
The Product Security and Telecommunications Infrastructure Act 2022 requires manufacturers, importers and distributors to ensure that minimum security requirements are met in relation to consumer connectable products that are available to consumers and provides a robust regulatory framework that can adapt and remain effective in the face of rapid technological advancement, the evolving techniques employed by malicious actors, and the broader international regulatory landscape.
The new law applies to all consumer IoT products, including:
- connected safety-relevant products such as smoke detectors and door locks
- connected home automation and alarm systems
- Internet of Things base stations and hubs to which multiple devices connect
- smart home assistants
- smartphones
- connected cameras
The risks
This legislation is absolutely critical, as in 2021 Which? undertook a study to look at how a smart home could be at risk from hackers, setting up their own smart home. This detected more than 12,000 scanning or hacking attempts in a single week! Without the appropriate levels of security, any internet-connected device or app is at risk of being readable, recognisable, locatable, and/or controllable via the internet, thus providing cyber criminals with the ‘key’ in accessing and stealing personal data. This can then be used for a multitude of criminal purposes, including burglary, theft, blackmail, harassment and stalking.
When it comes to harassment and stalking in particular, insecure technology can provide new opportunities for abusers to control, harass and stalk their victims. Examples of this include:
In 2018 a man was jailed for 11 months for IoT-related abuse after being found guilty of eavesdropping on his estranged wife through a microphone on a wall-mounted tablet used to control the heating, TV and lights in their home.
In January 2022 a man was jailed after hacking into an 11-year-old’s webcam to spy on her whilst she showered and undressed.
In January 2020 a man was jailed after he used the tool’s capabilities to enable victims’ webcams, but without activating the camera status LED. This allowed him to record videos and take screenshots while victims were unaware, including during intimate moments.
In April 2022 a man was sentenced after accessing his ex-partner’s CCTV system to spy on her in her own home, as well as letting himself into her home, during a stalking campaign.
In April 2019 a man was sentenced and issued with a restraining order after he accessed the home security camera which his ex-partner used to check on her pets whilst out to spy on her.
Security researchers found that the manufacturer of an IoT chastity cage had left an API exposed (Application Programming Interface, which is a software intermediary that allows two applications to talk to each other), giving malicious hackers a chance to take control of the devices. That’s exactly what happened, with a victim receiving a message from a hacker demanding a payment of 0.02 Bitcoin, which is currently around £445, to unlock the device. He realised his cage was definitely locked and he could not gain access to it. Fortunately for the victim, the device wasn’t locked in on himself.
Criminals are aware of the weakness within insecure technology and are more and more seeking to exploit it for their nefarious purposes. So much so, in fact, that in July 2022 a Brisbane teenager was arrested after building spyware that was being used by domestic violence perpetrators across the world. The teenager created and sold a sophisticated hacking tool which was being used by domestic violence perpetrators and child sex offenders to spy on tens of thousands of people across the world.
Secured by Design: Secure Connected Device accreditation scheme
The national police security initiative, Secured by Design (SBD), launched the Secure Connected Device accreditation scheme in 2022 to help companies to get their products appropriately assessed against all 13 provisions of the ETSI EN 303 645 standard, a requirement that goes beyond the Government’s legislation so that companies can not only demonstrate their compliance with the legislation but also protect themselves, their products and their customers. The SBD Secure Connected Device IoT Assessment identifies the level of risk associated with an IoT device and its ecosystem, providing recommendations on the appropriate certification routes with one of the SBD-approved certification bodies.
Find out more at www.securedbydesign.com/IoT
Michelle Kradolfer
Internet of Things Technical Officer,
Police CPI
