Amazon Echo and Google Home ‘Smart Spies’

Berlin-based Security Research Labs (SRL) discovered possible hacking flaws in Amazon Echo (Alexa) and Google Home speakers and installed their own voice applications to demonstrate hacks on both device platforms that turned the assistants into ‘Smart Spies’.

What Happened?

Research by SRL led to the discovery of two possible hacking scenarios that apply to both Amazon Alexa and Google Home which can enable a hacker to phish for sensitive information in voice content (vishing) and eavesdrop on users.

Knowing that some of the apps offered for use with Amazon Echo and Google Home devices are made by third parties with the intention of extending the capability of the speakers, SRL was then able to create its voice apps designed to demonstrate both hacks on both device platforms. Once approved by both device platforms, the apps were shown to successfully compromise the data privacy of users by using certain ‘Skills and actions’ to both request and collect personal data including user passwords by eavesdropping on users after they believed the smart speaker has stopped listening.

Amazon and Google Told

SRL’s results and the details of the vulnerabilities were then shared with Amazon and Google through a responsible disclosure process. Google has since announced that it has removed SRL’s actions and is putting in place mechanisms to stop something similar happening in future.  Amazon has also said that it has blocked the Skill inserted by SRL and has also put in preventative mechanisms of the future.

What Did SRL’s Apps Do?

The apps that enabled the ‘Smart Spy’ hacks took advantage of the “fallback intent”, in a voice app (the bit that says I’m sorry, I did not understand that. Can you please repeat it?”), the built-in stop intent which reacts to the user saying “stop” (by changing the functionality of that command after the apps were accepted), and leveraged a quirk in  Alexa’s and Google’s Text-to-Speech engine that allows inserting long pauses in the speech output.

Examples of how this was put to work included:

  • Requesting the user’s password through a simple back-end change by creating a password phishing Skill/Action. For example, a seemingly innocent application was created such as a horoscope.  When the user asked for it, they were given a false error message e.g. “it’s not available in your country”.  This triggered a minute’s silence which led to the user being told “An important security update is available for your device. Please say start update followed by your password.” Anything the user said after “start” was sent to the hacker, in this case, thankfully, SRL.
  • Faking the Stop Intent to allow eavesdropping on users. For example, when a user gave a ‘stop’ command and heard the ‘Goodbye’ message, the app was able to continue to secretly run and to pick up on certain trigger words like “I” or words indicating that personal information was about to follow, i.e. “email”, “password” or “address”. The subsequent recording was then transcribed and sent back to SRL.

Not The First Time

This is not the first time that concerns have been raised about the spying potential of home smart speakers.  For example, back in May 2018, A US woman reported that a private home conversation had been recorded by her Amazon’s voice assistant, and then sent it to a random phone contact who happened to be her husband’s employee. Also, as far back as 2016, US researchers found that they could hide commands in white noise played over loudspeakers and through YouTube videos in order to get smart devices to turn on flight mode or open a website. The researchers also found that they could embed commands directly into recordings of music or spoken text.

Manual Review Opt-Out

After the controversy over the manual, human reviewing of recordings and transcripts taken via the voice assistants of Google, Apple and Amazon, Google and Apple had to stop the practice and Amazon has now added an opt-out option for manual review of voice recordings and their associated transcripts taken through Alexa.

What Does This Mean For Your Business?

Digital Voice Assistants have become a popular feature in many home and home-business settings because they provide many value-adding functions in personal organisation, as an information point and for entertainment and leisure.  It is good news that SRL has discovered these possible hacking flaws before real hackers did (earning SRL some good PR in the process), but it also highlights a real risk to privacy and security that could be posed by these devices by determined hackers using relatively basic programming skills.

Users need to be aware of the listening potential of these devices, and of the possibility of malicious apps being operated through them.  Amazon and Google may also need to pay more attention to the reviewing of third party apps and of the Skills and Actions made available in their voice app stores in order to prevent this kind of thing from happening and to close all loopholes as soon as they are discovered.

Why You May Be Cautious About Installing The Latest Windows 10 Update

Some of Microsoft’s enterprise-based customers may be feeling cautious about installing the latest Windows 10 update because Microsoft warns that it could stop the Microsoft Defender Advanced Threat Protection (ATP) service from running.

The Update and Warning

The update in question is the October 15, 2019 KB4520062 (OS Build 17763.832).  The update contains a long list of improvements and fixes (see here for full details: https://support.microsoft.com/en-us/help/4520062/windows-10-update-kb4520062), but also three known issues, one of which concerns the Microsoft Defender Advanced Threat Protection (ATP) service.

What Is The ATP?

The ATP is a paid-for service, for Microsoft Enterprise customers (not Home or Pro customers) that’s designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It offers features like endpoint behavioural sensors embedded in Windows 10, Cloud security analytics and access to threat intelligence generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by Microsoft’s partners.

What’s The Issue With the Update?

In the update’s release notes Microsoft says, “We suggest that devices in an affected environment do not install this optional non-security update”.

The reason given for the warning is that installing the update could mean that the ATP service could stop running and may fail to send reporting data.  This could mean that certain enterprise customers are more exposed to security threats until a solution has been found.

Microsoft also warns that an error (0xc0000409) may be received in MsSense.exe.

Not Fixed Until November

Microsoft says that although it’s working on a resolution it estimates that it won’t have a solution to the problem until November.

One of Several Update Problems Recently

This is one of several updates from Microsoft recently that have come with problems.  For example, an update on the 16th of September was reported to have caused issues with Windows Defender.  Later in September, Microsoft had to issue two emergency Windows updates to protect against some serious vulnerabilities relating to Internet Explorer and Windows Defender (anti-virus software).

Also, the October 3 update is reported to have adversely affected the Start Menu and print spooler, and the Start Menu issues were reported to be still present following the 8 October update.

What Does This Mean For Your Business?

Although Home and Pro customers need not worry about this particular issue, Microsoft’s valued Enterprise customers, who have paid for the ATP service to help stay ahead of the game in security may be a little worried and frustrated at having to either wait until November to enjoy the improvements of the new (optional) update in safety, or install it now and risk the loss of their ATP service and face the associated potential security risks.

Microsoft customers seem to have suffered several problems related to updates in recent months, and Enterprise customers are likely to be those that Microsoft particularly does not want to upset.  It is likely, therefore, that Microsoft will be focusing of getting an appropriate solution to the new update issues before November if possible.

Banking App Fraud On The Rise

A recent report from cyber-security company RSA has highlighted a significant rise in fraud via fake banking apps.

Number of Attacks Has Trebled

The Fraud and Risk Intelligence (FRI) team at RSA have noted a tripling of the number of fraud attacks via fake mobile banking apps in the first six months of this year with rogue mobile app fraud generally up by a staggering 191 per cent.

Fake Mobile Apps Exploit Digital Finance Trust

Not only did the 40,344 fraud attacks represent a 63 per cent rise, but 29 per cent of those attacks were recorded as coming from fake mobile apps.

In fact, the report identified an 80 per cent rise in the use of financial malware in the first half of this year, highlighting how cyber-criminals are using the transformation of finance to the digital world and the increasing trust of users in financial apps and digital financial transactions as a way in.

Changing

Tech and finance commentators have noted that as companies offer more convenient digitised financial initiatives to customers e.g. open banking, and as this has necessitated customers engaging in more digital touchpoints, it has led to a widening of the potential ‘attack surface’ that criminals can take advantage of.

Could Banks Do More?

An Immuniweb report from August this year noted that a massive 98 per cent of the world’s100 leading financial technology (fintech) startup companies are vulnerable to web and mobile app attacks, and that 97 of the 100 largest banks are also vulnerable to web and mobile attacks which could facilitate a breach of sensitive data.

The Immuniweb report also highlighted mobile financial apps as being a problem area with all mobile apps tested showing at least one ‘medium risk’ security vulnerability, and 97 per cent having at least two medium/high-risk vulnerabilities. The tests also showed that over 50 per cent of mobile app backends have serious SSL/TLS misconfigurations or privacy issues which could be traced to not having robust-enough web server security.

This has led to some speculation that banks and other financial organisations could be doing more to help close potential security loopholes in their apps, thereby offering better protection to customers.

What Does This Mean For Your Business?

Mobile apps offer banks and other financial organisations a way to offer convenience and added value to their customers who want to be able to manage their finances on the go. However, legitimate app security problems, a proliferation of fake/rogue financial apps and a widening of the potential attack plane that this brings to consumers who increasingly trust their finances to mobile digital transactions have increased the attack plane and the risks that businesses and consumers face.

As users of banking and other financial apps, we can help protect ourselves by sticking to some basic security procedures such as not clicking on links in unfamiliar messages or texts (to avoid loading malware), keeping a close eye on our bank transactions, and by being very cautious when downloading apps of any kind. For example, to minimise the risk of falling victim rogue/fake apps, you should check the publisher of an app, check which permissions the app requests when you install it, delete any apps from your phone that you no longer use, and contact your phone’s service provider or visit the high street store if you think you’ve downloaded a malicious/suspect app.

Any Thumbprint Unlocks a Galaxy A10

Samsung’s so-called “revolutionary” fingerprint authentication system for the Galaxy A10 phone appears to be offering less than satisfactory results as it is discovered that any thumbprint can unlock one.

Biometric ‘Fail’

South Korean phone giant Samsung has received some unwanted bad publicity for its new Galaxy A10 phone after an article appeared in the Sun newspaper highlighting how a British couple discovered that, after putting a low-priced screen protector (purchased from eBay) on the phone, each other’s thumb print could unlock the phone.

The thumbprint scanner, which uses ultrasound to detect 3D ridges in fingerprints and only is supposed to recognise the thumbprint that has been registered by the user is reported to have recognised both of the thumbprints of user Lisa Neilson and both of her husband.

Patch

Samsung is reported to have acknowledged the fault and to be in the process of preparing a software patch to fix it.

Google Pixel ‘Face Unlock’ Issue

It seems that Samsung isn’t the only company struggling to produce a biometric phone security system that works properly.

The BBC has recently reported that after testing Google’s Pixel 4 phone’s Face Unlock system, it was discovered that with normal default settings on, the phone could be unlocked even if the user’s eyes were closed. The problem with this is that the phone could potentially be unlocked by another unauthorised person while the user is asleep simply by holding the phone in front of the user’s face.

The phone does, however, offer a ‘lockdown’ mode which users can switch to in order to deactivate the facial recognition system altogether.

Biometrics – The Way Forward?

Even though multi-factor authentication is more secure than relying on just a password for authentication, a continued reliance on weak passwords and password sharing by users, coupled with more sophisticated cyber and phone crime techniques mean that there is a strong argument for biometric methods of authentication, and a move towards what Microsoft has recently described as a “passwordless future”.

What Does This Mean For Your Business?

Even though biometrics has been shown to make things much more difficult for cyber-criminals to crack, as the A10 and the Pixel 4 security systems illustrate, biometrics have not been 100% successful to date and is still needs some work.  In fact, this is not the first time that a Samsung Galaxy has been in the news for a biometric issue. For example, a Reddit user recently claimed to have used a 3D printer to clone a fingerprint and then use that fake fingerprint to beat the in-display fingerprint reader on the Galaxy S10. Also, there was the report of the Twitter user who claimed to have fooled Nokia 9 PureView’s fingerprint scanner by using somebody else’s finger, and then just a packet of chewing gum, and of the incident back in May 2017 where a BBC reporter said that he’d been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

There is no doubt that the move away from passwords to biometrics is now underway, but we are still in the relatively early stages.

Equifax Hack Inevitable Says Lawsuit

A lawsuit against US Credit Rating Company Equifax relating to the massive 2017 hack alleges that the breaching of Equifax’s systems was “inevitable because of systemic organisational disregard for cybersecurity and cyber-hygiene best practices.”

What Happened

Back in September 2017, US Credit Rating Company Equifax was hacked and, in one of the largest recorded data breaches in history, an estimated 148 million customer details stolen, 44 million of which are believed to have come from UK customers.  Details stolen in the attack included names, US social security numbers, dates of birth, addresses, driver’s license details, and around 209,000 credit card numbers.

Hackers got in through a vulnerability in the website and Equifax was reported to have known about the attack 40 days before informing the public that it had happened.  Another aspect of the case that caused outrage at the time was the fact that three senior executives at the company were believed to have sold-off their shares worth almost £1.4m before the breach was publicly announced.

The Lawsuit

The lawsuit that was filed against Equifax with the Northern District Court of Georgia (Atlanta Division) in the US states that the breach was the “inevitable result of widespread shortcomings in Equifax’s data security systems”.

What Kind of Shortcomings?

The lawsuit alleges that Equifax’s data protection measures were “grossly inadequate,” and “failed to meet the most basic industry standards”.  The lawsuit paints a picture of a company with a shockingly simplistic and risky approach to the protection of personal data.  For example, it alleges that Equifax:

  • Failed to implement proper patching protocols and relied upon one individual to manually implement its patching process across its entire network.
  • Didn’t encrypt sensitive information and instead, stored in plain-text, making it easy for unauthorised users to read and misuse.
  • Didn’t encrypt mobile applications, meaning that it failed to encrypt data being transmitted over the internet.
  • Stored sensitive data on public-facing servers and left the keys to unlocking the encryption on those same public-facing servers, making it easy to remove the encryption from any data.
  • Used inadequate network monitoring practices and obsolete software.
  • Failed to implement adequate authentication measures.  This allegedly included using weak passwords and security questions.

Simple Usernames and Passwords Including ‘Admin’

One of the shocking accusations in the lawsuit relates to passwords.  It highlights how the New York Stock Exchange-listed firm responsible for protecting the sensitive personal data of millions of people used four-digit pins (derived from Social Security numbers and birthdays) to guard personal information, even though these weak passwords had already been compromised in previous breaches.

Also, the lawsuit alleges that Equifax relied upon the username “admin” and the password “admin” to protect a portal used to manage credit disputes, thereby making it incredibly easy for any hackers to guess.  For example, many penetration testing companies will use more obvious passwords such as ‘admin’ as a basic part of their testing of company systems.

Simple Passwords Still Widely Used

One of the main ways that we can all leave the door open to security breaches and hacks is by using simple, easy to guess passwords, and by sharing the same password between multiple websites and platforms.

For example, a study by the UK’s National Cyber Security Centre (NCSC) into breached passwords (in April this year) revealed that 123456 featured 23 million times, making it the most widely used password on breached accounts.  The study, which analysed public databases of breached accounts, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

What Does This Mean For Your Business?

The allegations about the apparent organisational disregard for cyber-security at such a big company and the use of simple, default-style passwords such as ‘Admin’ and leaving one person in charge of patching for the whole company are truly shocking.  The case highlights how some organisations may be too casual about how they manage and protect sensitive data, which is a dangerous position to be in, particularly with the possible fines from GDPR. Since most companies still rely upon passwords for many important systems and tools, this case particularly highlights how IT departments may need to implement processes to make sure that default passwords are changed to more secure ones, and that commonly used passwords are blacklisted.  Introducing multifactor authentication (MFA) also adds another important extra layer of security to password-based systems, and many companies are now seeking biometric authentication methods as a way of getting completely away from the whole risky password area.

The Equifax case also highlights how businesses shouldn’t treat database security any differently from other aspects of their cybersecurity, especially by not sharing admin passwords, and if sharing is necessary, by keeping track of who has those passwords and why. Using analytics on a database is also a way in which businesses can track when someone has got into a database using certain admin credentials.

Tech Tip – Create Calendar Events Directly From the Taskbar

One of the new features added to Windows 10 with the September (1909) update was to enable Calendar users to be able to simply create a Calendar event directly from the Calendar flyout on the Taskbar.

To add quickly and easily add your Calendar event:

– Click on the date and time at the lower right corner of the Taskbar to open the Calendar flyout.

– Pick your desired date and type your text box to identify your event.

– Use the Inline options to set a time and location.

Ex-Employee Claims Your G Suite Data Is Not Encrypted

A report by a former Google employee on the ‘Freedom of the Press Foundation’ website warns organisations that any data stored on Google’s G Suite is not encrypted, can be accessed by administrators and can be shared with law enforcement on request.

G Suite

G Suite is Google’s set of cloud-based computing, productivity and collaboration tools including Gmail, Drive (for your company documents) and Calendar.

Privacy Risk

Former Google employee Martin Shelton alleges that files stored within Google’s G Suite have no end-to-end encryption as other Google services do, thereby potentially leaving business data vulnerable to being viewed by Google and by other persons such as Administrators.  Mr Shelton reports that:

  • While Google leverages your G Suite user data for e.g. filtering for spam, malware or targeted attack detection, it can also scan a user’s Google account for content that is illegal, or in violation of Google’s policies.
  • U.S. agencies can compel Google to hand over relevant user data from G Suite accounts to aid in investigations.
  • Business versions of G Suite, such as G Suite Enterprise, offer administrators the tools to monitor users and search device data within the G Suite domain thereby giving them remarkable levels of transparency to users’ (employees’) Google activities,  For example, Administrators can search for Gmail and Google Drive content, and metadata (e.g. dates, subject lines, recipients), and can log and retain this data.
  • Administrators can monitor Gmail, Calendar, Drive, Sheets, Slides, and more, from desktop and mobile devices and can receive push alerts for certain (suspicious) behaviours.
  • Administrators can use audit logs to see who has looked at or modified each document within the organisation.

Not The First Time

This is not the first time that Google has made the news over G Suite privacy.  Back in July 2018, The Wall Street Journal highlighted how third-party developers could view Gmail users’ messages.

What Does This Mean For Your Business?

This is clearly some unwanted publicity for Google, particularly when there is fierce competition in the business Cloud services market.

The advice for those worried about G Suite’s privacy and security suggested by former Google employee Martin Shelton is to use G Suite mindfully and give yourself a G Suite audit (Gmail, Drive, and Google-connected activity on mobile devices).  This way, if you can see certain data you can assume that the administrator and Google are likely to also be able see it.

Also, if you are concerned about unknown administrators seeing your G Suite data you could consider trying to identify who your G Suite administrators are, what G Suite version you have, whether your organisation is using G Suite Business or Enterprise, finding out what rules have been set in Google Vault and audit logs, and what policies exist for administrative data retention and access.

Mr Shelton also suggests that users may wish to find another cloud service provider that has end-to-end encrypted format to store any particularly sensitive data, or to simply keep data offline or off a computer entirely.

Food Writer Loses £5,000 in Phone ‘Simjacking’

Well known food writer, Jack Monroe, has reported falling victim to criminals who were able to steal £5,000 from her bank and payment accounts in a “Simjacking” attack.

What Is Simjacking?

Simjacking, simswapping or ‘phone hijacking’ involves criminals being able to port a person’s mobile phone number over onto on another SIM card. This is often carried out by criminals who, armed with the necessary personal data of an intended victim, go to a phone shop and pose as a customer who wants to switch to a different mobile provider but keep their existing phone number.

In some cases it may involve mobile operator or phone shop staff members being paid to carry out the crime.  One of the first clues that you may be a victim of Sjmjacking is when your phone suddenly stops working.

£5,000 Taken

In Jack Monroe’s case, the food writer said in a Tweet that her card details and PayPal information were taken from an online transaction which meant that when her phone number was ported onto a new SIM, the criminals were able to “access/bypass authentication” and therefore authorise payments from her account.  In another Tweet, Jack Monroe appears to imply that her date of birth may have been found by the criminals on Wikipedia.

With £5,000 being taken, Jack Monroe Tweeted that, despite being “absolutely absurdly paranoid about security”, not using publicly available email addresses on any financial accounts, using “gobbledegook” letter/number/special character passwords and having two-step authentication on all accounts, the criminals were still able to make purchases and withdraw cash using her account.

Jack Monroe Tweeted the amount taken, saying that the criminals had “HELPED THEMSELVES to around five thousand of them” (pounds). “Total figure not in yet. I’m so white-hot angry”.

Problem Not Addressed

The fact that the crime was committed against a celebrity and has been widely reported appears to have ignited discussion about an area that some feel the mobile industry may not have been addressing.

Mobile Connect – Alternative

The reports have also highlighted possible alternative mobile authentication systems that are available. One example is Mobile Connect, the GSMA’s secure universal log-in solution that matches a user to their mobile phone and is believed to represent a new standard in security.

What Does This Mean For Your Business?

The fact that simjacking is still quite a common crime, and not just in the UK, could highlight the fact that the mobile industry is not putting in enough effort and resources to eradicate the problem. In the UK, some commentators have called for an investigation by the Information Commissioner’s Office (ICO) to see if mobile operators are meeting their obligations to safeguard services and data under telecom privacy rules and GDPR.

The GSMA’s Mobile Connect secure login solution, if adopted and championed by mobile operators and banks, could be one way that the challenges of a lack of collaboration and standardisation have posed to security (such as the security problems and breaches that are at the heart of crimes like Simjacking/phone number hijacking) can begin to be tackled.

Dyson Scraps “Not Commercially Viable” Electric Car

Dyson has scrapped its £2.5 billion ‘N526’ electric car project with Sir James Dyson announcing that it was “not commercially viable”.

So Close

The project, which could be traced back to 1993 with the development of a cyclonic vehicle exhaust that could 95 cut per cent of harmful emissions, evolved into the full-blown development of Dyson’s own electric car.  The ‘N526’ project employed 500 UK workers (aimed to roll out the first vehicles for sale in 2021) had a driveable prototype, and was on the verge of kitting-out its production factory in Singapore before the plug was pulled on what some saw as the founder’s expensive “vanity project”.

Battery Work To Continue

Despite the project to build a whole car being scrapped, Dyson has announced that work will continue on improving the battery technology that would have been used in the car.  Dyson had originally planned to invest £1 billion in development of the car and invest another £1 billion in developing the electric battery technology, something that was closer to its existing business.

Even though there was great sadness among Dyson employees, and a question mark hangs over the future of those employed in the UK electric car division, Sir James Dyson said that his company had successfully built a “fantastic electric car”.

What Went Wrong?

Producing vehicles and competing in a car market where there are already well-established and experienced car companies such as Volkswagen that is spending £50 billion on its own electric vehicle requires massive amounts of money, capital investment, and the addition of different core skills and competencies to the ones that Dyson has.  Also, Singapore (compared to China or Malaysia) looked likely to be an expensive place to manufacture the vehicles.

Even though Dyson’s team was able to relatively quickly produce a working prototype, and convince some media commentators that it would become a serious challenger with a high-risk, high level of difficulty ‘new product in a new market’, it looks likely that the numbers didn’t add up and Dyson chose to ‘stick to the knitting’ (its core business) and not to risk the whole company and its brand on the expensive venture.

Harley Davidson Too

Just as Dyson announced that it was scrapping its electric car project, U.S. motorcycle giant Harley-Davidson announced that it was halting production of its first electric motorbike.  In Harley Davidson’s case though, the stopping of production was down to an issue with its charging system.

What Does This Mean For Your Business?

Sir James Dyson’s positive view of this being more of change of direction of a project (which is not likely to be the last change of direction) must mask some sadness that the company came so close to producing an electric car which may have been well received on the back of the company’s adventurous and innovative image.  The numbers, however, simply wouldn’t stack up, and the announcement of Dyson pulling the plug is unlikely to have come as a major surprise to the long-established automotive players who know just what it takes to produce, supply and compete successfully in the car market.  That said, relatively new car market players and likely of competitor of Dyson, Tesla has established itself as a real contender in the electric car market with its Model 3.

New Law To Advance Fast Broadband Roll-Out Announced

Amendments to the UK’s Electronic Communications Code will give broadband operators compulsory rights to install their apparatus on another person’s property, thereby getting around the problem of landlords not responding to requests for access to blocks of flats and apartments.

The Challenge

The challenge that has prompted the government to seek changes to the current legislation has been a claim by broadband operators that 40% of their requests for access to blocks of flats and apartments have routinely received no response. This has been blamed for slowing down the UK government’s plans to deliver the target of national full-fibre coverage by 2025 and develop the kind of digital infrastructure that could boost growth and boost productivity.

The Law

Prior to 2017, the UK law that applied to relations between landlords and telecoms operators in respect installing and maintaining electronic communications apparatus on land and buildings was the Telecommunications Code in the Telecommunications Act 1984 (amended by the Communications Act 2003). This Telecommunications Code has now been replaced by the new Electronic Communications Code (as part of the Digital Economy Act 2017). The new code means that a broadband operator can now apply for compulsory rights to install apparatus on another person’s property.

It is thought this change to the law will mean that an extra 3,000 (estimated) residential buildings (flats and apartments) per year can now have modern broadband installed.

Rural Challenge

The government still faces a considerable challenge in getting more rural areas connected in order to meet its broadband and mobile network roll-out targets, and there is currently a digital divide between urban and rural areas of the UK.  The government has recently announced, however, that £5bn new funding will be made available to bring gigabit-capable broadband to harder-to-reach, rural parts of the UK as well as a change in planning rules to help the roll-out of 5G.

What Does This Mean For Your Business?

Now that operators don’t have to wait for responses from landlords, this could make the chance of the government meeting its broadband targets a little more likely and could help boost the economy.

Broadband is an essential service for business and despite this positive change in the law, many UK business owners still know that broadband services in the UK can sometimes be patchy and often expensive, while ‘Which?’ research shows that the UK ranks only 31st in the world for average broadband speeds. Those businesses in rural areas are also finding themselves facing the challenge of a growing digital divide between rural and urban that is adversely affecting their competitiveness.

Even with this change in the law, being able to meet the target of national full-fibre coverage by 2025 is a big ask and it is estimated that the UK may only have 7% full-fibre coverage by 2020.