Tougher laws for UK’s internet-enabled smart devices
Manufacturers will have to follow stricter rules if they want to sell internet-enabled ‘smart’ gadgets such as smart speakers and security cameras as a new law comes into force.
From today, manufacturers will be legally required to protect consumers from hackers and cyber criminals from accessing devices with internet or network connectivity – from smartphones to games consoles and connected fridges – as the UK becomes the first country in the world to introduce these laws.
Under the new regime, manufacturers will be banned from having weak, easily guessable default passwords such as ‘admin’ or ‘12345’ and if there is a common password the user will be promoted to change it on start-up.
This will help prevent threats like the damaging Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US East Coast without internet. Since then, similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers.
The move marks a significant step towards boosting the UK’s resilience towards cyber-crime, as recent figures show 99% of UK adults own at least one smart device and UK households own an average of nine connected devices. The new regime will also help give customers confidence in buying and using products, which will in turn help grow businesses and the economy.
An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.
The new measures will introduce a series of improved security protections to tackle the threat of cyber-crime including:
* Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking
* Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with
* Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates
Says Data and Digital Infrastructure Minister Julia Lopez:
“Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.
“Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.”
Adds Rocio Concha, Which? Director of Policy and Advocacy:
“Which? has been instrumental in pushing for these new laws which will give consumers using smart products vital protections against cyber criminals looking to launch hacking attacks and steal their personal information.
“The OPSS (Office for Product Safety and Standards) must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one, and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.”
With 57% of households owning a smart TV, 53% owning a voice assistant and 49% owning a smart watch or fitness wristband, this new regime reinforces the government’s claim it is addressing these threats to society and the economy head-on.
The laws are coming into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.
