Smartwatches banned from UK Cabinet as EC plans IoT security standards

Members of the UK government's ruling Cabinet have been banned from using smartwatches as the European Commission (EC) plans to implement security standards for such internet-connected devices.

The moves come amid growing warnings from security researchers about the security and privacy weaknesses in devices that make up the internet of things (IoT).

At the recent IPExpo in London, James Lyne of security firm Sophos warned that the IoT posed a very real threat to cyber security, and Ken Munro of Pen Test Partners said the attack surface was “absolutely enormous”.

The UK government is taking this risk seriously, and Cabinet ministers have been banned from wearing smartwatches because of concerns that they could be hijacked as listening devices, reports The Telegraph.

Mobile phones have already been barred from the cabinet because of similar concerns. In March 2016, Pen Test Partners demonstrated that numerous mobile apps could be used to eavesdrop on conversations.

“It’s trivially easy to create a rogue app for an Android device, whether it’s a phone, TV or smartwatch,” said Munro.

“It’s also easy to get apps with ‘additional’ functionality into the Play Store. Permission creep is the main source of this problem. It is also worth looking at the number of popular apps with the ‘microphone’ permission in both Android and iOS. Many social network apps have the permission, although it is unclear whether they actually use this,” he told Computer Weekly.

The move by the UK government coincides with heightened concerns about cyber espionage, with US officials claiming that a Russian cyber espionage campaign started more than a year ago has targeted Republicans and Democrats whose work is strategically important to the Russian government, reports NBC News.

On 7 October 2016, the Obama administration finally blamed Russia publicly for cyber espionage against the Democratic National Committee, but US officials said the campaign targeted both parties by accessing private email accounts. The Russian government has denied any involvement.

The US Department of Homeland Security and the Office of the Director of National Intelligence on Election Security said in a joint statement that the US intelligence community was confident the Russian government had directed the recent compromises of emails from US individuals and institutions, including from US political organisations to interfere with the US election process.

The UK government is not alone in being concerned about the security risks of IoT devices. The EC is reportedly planning to introduce laws that will require device makers to meet tough security standards and undergo a certification process to guarantee privacy.

The EC plans to encourage companies to come up with a cyber security labelling system for internet-connected devices that are approved and secure, similar to EurActiv, the EU labelling system that rates appliances based on how much energy they consume.

According to the EC, the certification process is likely to include assessments of the governance framework for the network and cloud-based services attached to IoT devices.

In November, the EC is also expected to announce plans to introduce rules that will affect how companies can access consumers’ data and what kind of contracts they can have to sell that information to partnering firms.