The government has told makers of smart devices – including Apple, Samsung, and Google - that they will need to inform consumers how long these products will receive security updates for.
Smart devices such as phones and speakers, sometimes called Internet of Things (IoT) devices, are a common way for cybercriminals to infiltrate systems.
In 2018, 10 gigabytes of confidential data were stolen from a US casino via an internet connected fish tank according to a Darktrace report.
The new law seeks to help prevent users from unwittingly leaving themselves open to cyber threats by using an older device whose security could be outdated.
A report from Which? cited by the government found a third of people kept their last phone for four years, while some brands only offer security updates for a little over two years.
The new rules will also make it easier for people to report software bugs that can be exploited by hackers and see easy to guess default passwords banned on virtually all devices.
Just one in five global manufacturers have a mechanism in place to allow security researchers, firms and individuals who find security flaws in devices to report vulnerabilities, claimed the government.
“Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems,” said digital infrastructure minister Matt Warman. “We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.”
“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”
He added: “Security updates are a crucial tool for protecting people against cyber criminals trying to hack devices.”
“We applaud the UK government for taking this critical step to demand more from IoT device manufacturers and to better protect the consumers and businesses that use them,” said Brad Ree, chief technology of the Internet of Secure Things (IoXT) Alliance.
He added: “Requiring unique passwords, operating a vulnerability disclosure program, and informing consumers on the length of time products will be supported is a minimum that any manufacturer should provide.”
Recent Stories