Internet-connected devices to display cyber-security resilience labels

The label would tell consumers how secure their products such as Smart TVs, toys and appliances are and would mandate that retailers will only be able to sell products with an Internet of Things (IoT) security label.

Following the consultation, the Government said it would launch the labelling scheme on a voluntary basis before decisions over whether to make it mandatory come into play.

The labelling system will make it clearer which products adhere to security requirements that are set out in the current ‘Secure by Design’ code of practice.

These requirements include that IoT device passwords must be unique and not resettable to any universal factory setting; manufacturers of IoT products must provide a public point of contact as part of a vulnerability disclosure policy, and that manufacturers must explicitly state the minimum length of time for which the device will receive security updates through an end-of-life policy.

The scheme will form part of a wider Government consultation into improving general cyber security in the UK.

Last month, the Government’s annual ‘Cyber Governance Health Check’ report found that many board directors of the UK’s top firms admit to not having full understanding of the impact of loss or disruption associated with cyber threats, despite having a cyber-security strategy in place.

“Many consumer products that are connected to the internet are often found to be insecure, putting consumers’ privacy and security at risk,” said digital minister Margot James.

“Our code of practice was the first step towards making sure that products have safety features built in from the design stage and not bolted on as an afterthought.

“These new proposals will help to improve the safety of internet-connected devices and is another milestone in our bid to be a global leader in online safety.”

Smart home devices, most notably smart speakers, have become increasingly popular in the UK. Research last year found that one in 10 people in the UK owned at least one such device.

Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC), said the latest step to target connected devices is crucial to reduce failings in the industry.

“Serious security problems in consumer IoT devices, such as preset unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers,” he said.

“This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.”

The Government said it was working with international partners to ensure the guidelines created a consistent approach to the security of connected devices.