UK lays out security requirements for smart devices

Security experts have been sounding the alarm over the lax security practices associated with many smart devices, warning that a worrying number of these devices require virtually no effort or expertise to hack due to being open to the internet with either no password protection or a default password. Other concerns about smart devices include data privacy issues and lack of guaranteed support such as security updates which could render devices obsolete faster than their “dumb” counterparts.

Now, the Department for Digital, Culture, Media, and Sport has laid out its proposals, which would introduce the legal requirement for certain basic security measures in connected devices such as smart speakers, connected household appliances, and wearables. The proposals were developed with input from the National Cyber Security Centre (NCSC).

Under these rules, manufacturers would need to give devices unique passwords when they ship and which cannot be reset to a universal factory setting. They would also need to provide a public contact for customers to report vulnerabilities, and be transparent about the minimum length of time for which a device will continue to receive security updates.

Manufacturers who fail to follow these rules could be temporarily banned from selling their dodgy products while investigations are carried out or permanently banned if the product is found to be insecure. Regulators could be given the power to issue fines, recall notices, and court orders for the confiscation and destruction of dangerous products.

The government cited a recent study from the IoT Security Foundation which found that just 13 per cent of smart device manufacturers are embedding even the most basic cyber-security measures in their products.

Matt Warman, the Digital Infrastructure Minister, described the proposals as a significant step forward in the government’s plans to secure smart products: “I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products,” he said.

Dr Ian Levy, technical director of the NCSC, commented: “People are at risk because fundamental security flaws in their connected devices are often not fixed, and manufacturers need to take this seriously. We would encourage all consumer device manufacturers to make their views heard and help us ensure the technology people bring into their homes is as safe and secure as possible.”

Rocio Concha of consumer group Which? said: “Which? has repeatedly exposed popular connected devices with serious security flaws that fall well short of agreed voluntary standards, and leave consumers at the mercy of cyber criminals – so new laws to tackle this issue are an important step and can’t come soon enough.”

“Legislation, which must be backed by strong enforcement, should be introduced as soon as possible. In the meantime, retailers and online marketplaces must do more to prevent blatantly unsecure products being sold and manufacturers need to be more proactive at addressing security issues with their products.”