The government has published proposals for a new law aimed at protecting millions of IoT and smart devices from cyber criminals.

The proposals, drawn up by the Department for Digital, Culture, Media and Sport (DCMS) and supported by the National Cyber Security Centre (NCSC), detail the government’s plans to raise the security standard for all consumer smart products sold in the UK.

Consumer smart products can be the weak points of entry for hackers looking to breach someone’s home network and owners are often unaware that the default passwords or outdated software which can come as standard on a new device can lead to a range of harms, including the invasion of privacy, fraud or even physical harm.

As a first step the standard will make sure they adhere to three important requirements, which may be expanded on over time in consultation with stakeholders.

The three requirements are:

Device passwords must be unique and not resettable to any universal factory setting;

Manufacturers must provide a public point of contact so anyone can report a vulnerability;

Information stating the minimum length of time for which the device will receive security updates must be provided to customers.

In the 2016 Mirai botnet attack, hackers gained access to thousands of IoT products through common default passwords to launch an attack that overwhelmed servers leaving much of the internet inaccessible on the US east coast.

Shoppers are being urged to look at information on the duration of security update periods when choosing a smart product and people are still encouraged to follow NCSC guidance and change default passwords as well as regularly update apps and software to help protect their devices from cyber criminals.

This latest move by government is a step towards bringing robust security requirements for consumer smart products, such as smart speakers, kitchen appliances or cameras, into law.

Research cited by the government suggests there are now 20 billion smart devices - known as the Internet of Things (IoT) - in use around the world.

But, the government warned, only around 13 per cent of manufacturers are embedding even the most basic approaches to cyber security and privacy in their products.

The government published a code of practice for consumer IoT security for manufacturers in 2018.

Last month DCMS and the NCSC also announced they were collaborating with global standards body European Telecommunications Standards Institute (ETSI) to develop the first major international standard for the security of smart devices, which will help protect consumers around the world from falling victim to cyber hacks through security vulnerabilities in devices bought on the global market.

The call for views also sets out the scope of the rules, what industry will need to do to comply with the new laws and an overview of industry guidance to be produced, as well as information on potential powers granted to the enforcement body.

These could include powers to:

-Temporarily ban the supply or sale of the product while tests are undertaken;
-Permanently ban insecure products, if a breach of the regulations is identified;
-Serve a recall notice, compelling manufacturers or retailers to take steps to organise the return of the insecure product from consumers;
-Apply to the court for an order for the confiscation or destruction of a dangerous product
-Issue a penalty notice imposing a fine directly on a business.

The government said the proposals will also aim to future proof legislation in an “age of rapid technological change and innovation” adding that it will be looking for industry, academics and consumer groups to feed back on the plans.

Digital infrastructure minister Matt Warman said: “This is a significant step forward in our plans to help make sure smart products are secure and people’s privacy is protected.

“I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products. People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber criminals,” he added.

Share Story: