At home security devices, are they safe enough? – Mike Gillespie

• by Olivia Lawlor-Blackburn
• Industry News

There’s a lot in my social media feed at the moment about the level of poor security discovered in nanny cams and other video surveillance systems.  This is not, however, a new challenge. We have been highlighting this issue for some years now. This week, the advice for owners of these systems from NCSC is to change default passwords, update configurations and firmware and turn off remote access to the video streams.

Now this is all well and good, however, manufacturers, in a blatant show of disrespect for their customers, continue to churn out devices with poor configurations, lack of ability to apply firmware updates and, in some cases with the username and password hard coded onto the device. So, even if the consumer knows technically how to apply the advice from NCSC, if the device has been manufactured to be insecure by default, what hope do they have?

The advice from NCSC is perfectly legitimate, and undoubtedly well meaning. However, I personally don’t think, given the consistent growth in the IoT and consumables market, that it is sustainable to expect that this basic security should be down to the consumer to address. These devices need to be safe and secure consistently. When a consumer takes it out of the box for the first time, they should have the confidence that the device provides at least a basic level of protection for them and their families.

That is a manufacturer responsibility first and foremost in my opinion. No consumer is expected to know how to make a device electrically safe, physical locks come with a kitemark to show that they meet minimum standards but IoT devices including cameras require no minimum standard at all. It is outrageous and it is time more was done to prevent unsafe and insecure devices being sold in the UK marketplace.

There are a range of arguments made as to why this is not possible to address at a manufacturer level.  The first being that better security will inevitably drive up costs and consumers will not be prepared to pay.  This actually is not true. We have proven this with the work we have done as part of our involvement in the Surveillance Camera Commissioner’s Advisory Panel.  In the last 12 months we have successfully collaborated with several video surveillance system manufacturers – global ones – to launch and have them commit to Secure by Default, all without a single increase in cost.
The truth is it costs no more to code well than it does to code shabbily. There is no cost involved in writing code that makes changing a default password on startup intuitive for example, and many of the areas covered by the DCMS Code of Practice for consumer IoT security can be achieved with minimal cost implications as part of a responsible development process.

The next argument is that we exist within a global market, and that although we might improve the standard of devices made here in the UK, cheap and insecure variants will still exist and consumers will veer towards them.  I have heard this argument made numerous times. It is a fallacy perpetuated by manufacturers who don’t want to do the right thing by consumers.
These manufacturers are, to quote “internet polluters” and need to be called out for their poor practices. We may well live in a global economy, but there are still controls over the import and sale of unsafe equipment. We need the same controls over insecure ones.

Any manufacturer producing an internet connected device with the level of insecurity we have seen on these cameras in the news this week, is guilty of wilfully and negligently disregarding their customers’ safety, security and privacy. There can be no joint responsibility between vendor and consumer if the device has been manufactured in a manner that makes it impossible to secure. The time will come, savvy consumers will vote with their wallets but currently that is the only threat to these manufacturers and cheap goods sold across a range of international marketplaces, will always be a challenge, we have seen this with counterfeit goods for many years. We cannot, however rely on this as a quality check in any way shape or form.

These devices are not fit for the UK marketplace and should be treated by trading standards the same way counterfeit and electrically unsafe devices are. It is time the UK made a stand on this matter and sent a strong message.

Mike Gillespie