Consumer IoT security must meet UK requirements, government insists
The Department for Digital, Culture, Media, and Sport has revealed its plans for ensuring that connected devices sold to UK consumers adhere to security requirements.
According to the plans, all consumer smart devices must adhere to three security requirements: their passwords must be unique and not resettable to a universal factory setting; manufacturers must provide a public point of contact so that anyone can report a vulnerability, and manufacturers must state the minimum period for which the device will receive security updates at point of sale.
The measures were developed along with industry and the National Cyber Security Centre (NCSC). They follow the government’s 2018 voluntary 'Secure by Design' code of practice for consumer IoT devices, which advocated stronger security measures to be built into connected devices at the design stage.
“We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology,” said Matt Warman, digital minister. “Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety.”
“It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
Research suggests that there will be 75 billion consumer IoT devices – such as connected televisions, home security cameras and other appliances – in homes by the end of 2025. Security experts frequently raise concerns about the often-poor cyber-security practices associated with these devices, and the dangerous possibilities of domestic IoT devices being hacked.
“Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed,” said Nicola Hudson, policy and communications director at the NCSC.
“It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past.”
Matthew Evans, director of markets for techUK, commented: “Consumer IoT devices can deliver real benefits to individuals and society, but techUK’s research shows that concerns over poor security practices act as a significant barrier to their take-up. TechUK is therefore supportive of the government’s commitment to legislate for cyber security to be built into consumer IoT products from the design stage.”
Last year, the government considered requiring connected devices to be sold with labels informing consumers how resilient they are to hacking. Security labels will be run on a voluntary basis beginning this year, with the government considering a permanent decision on whether all connected devices should have these labels.
Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.