The UK government has today announced new laws to help ensure the security of Internet of Things (IoT) and smart devices.
Makers of smart devices including phones, speakers, and doorbells will need to tell customers upfront how long a product will be guaranteed to receive vital security updates under new government plans to protect people from cyberattacks.
New figures commissioned by the government show almost half (49 percent) of UK residents have purchased at least one smart device since the start of the coronavirus pandemic. However, many of these smart watches, TVs and cameras remain vulnerable to cyberattacks.
Just one vulnerable device can put a user’s network at risk. In 2017, attackers succeeded in stealing data from a North American casino via an internet-connected fish tank. In extreme cases hostile groups have taken advantage of poor security features to access people’s webcams.
To counter this threat, the government is planning a new law to make sure virtually all smart devices meet new requirements. Customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates. There will be a ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often pre-set in a device’s factory settings and are easily guessable. Additionally, manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.
The government published a code of practice for device manufacturers to boost the security of their products in 2018. And last year DCMS and the NCSC collaborated with global standards body European Telecommunications Standards Institute (ETSI) to develop the first major international standard for the security of smart devices.
Smartphones are the latest product to be put in scope of the planned Secure By Design legislation, following a call for views on smart device cybersecurity the government has responded to today. It comes after research from consumer group Which? found a third of people kept their last phone for four years, while some brands only offer security updates for a little over two years.
“Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems,” said Digital Infrastructure Minister Matt Warman.
You might also like
“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.
“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”
Research from University College London found none of the 270 smart products it assessed displayed information setting out the length of time the device would receive security updates at the point of sale or in the accompanying product paperwork.
The government says that forcing tech firms to be upfront about when devices will no longer be supported will help prevent users from leaving themselves open to cyber threats. Currently, just one in five global manufacturers have a mechanism in place to allow security researchers to report vulnerabilities.
The Internet of Secure Things (IoXT) Alliance has applauded the move. “Requiring unique passwords, operating a vulnerability disclosure programme, and informing consumers on the length of time products will be supported is a minimum that any manufacturer should provide,” said IoXT CTO, Brad Ree.
The government’s Cyber Security Breaches Survey 2021 report last month showed the cyber risk to organisations is heightened because of the pandemic, which has made securing digital environments more challenging as organisational resources are diverted to facilitating home working for staff.
The government says it intends to introduce legislation “as soon as parliamentary time allows.”