The main focus of Article 3.3(f) is mitigating fraudulent electronic payments and monetary transfers. To overcome these issues, manufacturers are compelled to add features within devices that deliver enhanced authentication controls to the user.
Another highly anticipated piece of legislation came into play in April 2024: the United Kingdom’s Product Security and Telecommunications Infrastructure (PTSI) Act of 2022. Placing legal duties on electronic and smart home device manufacturers to implement basic security standards within UK-based products, the Act essentially forbids devices from accepting predictable or obviously insecure passwords. It also forces manufacturers to clearly publish contact details so users can report bugs and issues, and to advise consumers of realistic times they can expect software patches and updates.
Built on the back of the previous IoT Code of Practice launched in 2018, the PTSI Act applies to any organization looking to import or retail their devices within the region, with a fine up to £10m or 4 percent of a company’s global revenue (whichever is highest) if they fail to adhere to its regulations. According to the National Cyber Security Centre (NCSC), the scope covers the same types of devices as U.S Cyber Trust Mark, including specific references to smart domestic appliances such as connected light bulbs, plugs, kettles, ovens, fridges and washing machines.
While the latter may seem innocuous, hackers are now including other people’s smart washing machines as part of a large botnet to carry out cryptocurrency mining, which requires an extortionate amount of energy. This type of activity is what the PTSI is aiming to stamp out.
We are now seeing cybersecurity legislation for IoT devices rolled out at an unprecedented rate. However, if manufacturers want to truly protect device users, then it’s important that they also look to adhere to the concept of “trusted computing.” At the most basic level, this means adhering to the latest open standards, specifications, and technologies coming from within the computing industry.
For larger devices, the Trusted Platform Module (TPM) is a low-cost, secure crypto-processor which establishes secure operations by protecting a user’s identity and sensitive data. TPMs hash sections of device firmware and software before they are executed and send them to the server for validation when the system attempts to connect to a network. If the details do not match, then the boot process will not take place, stopping any access or exploitation of stored data. The signing and verification capabilities offered through a TPM provide the baseline for the essential principles of verification, data protection, identity, and attestation.
In situations where the TPM is not suited for the device use case or architecture, the Device Identifier Composition Engine (DICE) can implement key security protocols in a more lightweight solution, providing an attestation architecture perfect for smaller devices. Easily integrated into existing frameworks and protocols, DICE equips manufacturers with the means to both create a cryptographically secure device identity and to verify software in newer devices.
Through DICE, a unique secret is held by the hardware; if an attack is executed against the device, the secret associated with the compromised layer can’t be used to breach further layers, limiting the potential damage. In the DICE architecture, the hardware retains a foundational secret known as the Unique Device Secret (UDS). This secret underpins a layered security approach, where each layer independently generates its own unique secret, derived from the UDS. If an attack compromises one layer, then that secret cannot be utilized to compromise the subsequent layers, confining the scope of potential damage, and enhancing overall device security. Should any malicious code be detected, DICE will also facilitate a rapid re-keying process to preserve integrity.
Finally, the Cyber Resilient Module and Building Block Requirements (CyRes) specification can reduce malware persistence while protecting essential code and data. CyRes protects essential code and data within a device, while detecting vulnerabilities and corruption. They are also able to recover a system back to a reliable, trusted state in the event of compromization.
While not directly outlined in any of the recent legislation, these standards and specifications are just as vital to device security and should be the first port of call for manufacturers when it comes to protecting their devices.