One of Apple’s key goals with HomeKit was to make smart home devices secure. The UK government has announced it wants to play its part in achieving the same thing by requiring all devices to meet three simple security requirements…
The requirements are pretty basic.
- All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
- Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online
The government is perhaps overselling the benefits.
All the same, even preventing the use of default passwords is a lot better than nothing. There are a huge number of network cameras out there, for example, with default passwords which many owners don’t bother to change.
Engadget reports that we shouldn’t expect anything to happen overnight, however.
Apple’s HomeKit protocol aims to make smart home devices secure by addressing security at a more fundamental level. Devices and whatever hub is controlling them (be it a manufacturer bridge or an Apple TV, HomePod or iPad in hub mode) must use encrypted communications. The hub must ensure that the device is a certified one before sending it a command, and the device must check that the hub is certified before obeying it.
