A new bill introduced this week will allow the government to ban universal default passwords in connected devices, will force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a public reporting system for vulnerabilities.

The Product Security and Telecommunications Infrastructure Bill applies to smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges. It also applies to products that can connect to multiple other devices but not directly to the internet, such as smart light bulbs, thermostats and wearable fitness trackers.

The new laws will apply not only to manufacturers, but also to other businesses including both physical shops and online retailers which enable the sale of millions of cheap tech imports into the UK. Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass important information about security updates on to customers. Firms may be fined up to £10m or 4% of global revenue for firms for failure to comply.

The government intends to exempt some products, where it would subject them to double regulation or not lead to material improvements in product or user security. This includes vehicles, smart meters, electric vehicle charging points and medical devices. Desktop and laptops are not in scope because they are served by a mature antivirus software market, unlike smart speakers and other emerging consumer tech.

Commenting on the new rules, Rocio Concha, Which? director of policy and advocacy, said: “Which? has worked with successive governments on how to crack down on a flood of poorly-designed and insecure products that leave consumers vulnerable to cyber-criminals – so it is positive that this bill is being introduced to parliament.

“The government needs to ensure these new laws apply to online marketplaces, where Which? has frequently found security-risk products being sold at scale, to prevent people from buying smart devices that leave them exposed to scams and data breaches.”

Jake Moore, the former head of digital forensics at Dorset Police and now cybersecurity specialist at global cybersecurity firm, ESET, added: “This is the start of a huge movement towards a safer online society but it won’t be changing overnight. These proposals are exactly what is required to help guide people in the right direction after typical security measures by design haven’t been strong enough to help those who desperately need it.

“Finally seeing an end to simple admin passwords has been a long time coming but these have often been in place for customer ease. The balance between ease of use and security is a fine and difficult level to balance but with the right education it can be extremely effective.

“Security updates are vital on IoT devices but people often see these as an inconvenient bore so although devices will soon come with an expiry date to patches, this might not affect the majority of people’s buying habits until they are fully aware of the reasons behind these proposals.”

In the first half of 2021, there were 1.5 billion attempted compromises of IoT devices, which is understood to be double the 2020 figure.

Share Story: