UK Government advances plans to boost security of smart products

The government has recently published proposals for a new law that will help protect millions of smart device users from cyber criminals.

The proposals, drawn up by the Department for Digital, Culture, Media and Sport (DCMS) and supported by the technical expertise of the National Cyber Security Centre (NCSC), detail the government’s plans to raise the security standard for all consumer smart products sold in the UK.

As a first step the standard will make sure they adhere to three important requirements, which may be expanded on over time in consultation with stakeholders. The three requirements are:

  • Device passwords must be unique and not resettable to any universal factory setting;

  • Manufacturers must provide a public point of contact so anyone can report a vulnerability;

  • Information stating the minimum length of time for which the device will receive security updates must be provided to customers.

This latest move by government is a significant step towards bringing robust security requirements for consumer smart products, such as smart speakers, kitchen appliances or cameras, into law as part of its ambition to make the UK the safest place to be online.

Research suggests there are now 20 billion smart devices – known as the Internet of Things (IoT) – in use around the world. But with only around 13 per cent of manufacturers embedding even the most basic approaches to cyber security in their products, people’s privacy and security is at risk.

Digital Infrastructure Minister Matt Warman said:“This is a significant step forward in our plans to help make sure smart products are secure and people’s privacy is protected. I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products.

“People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber criminals.”

The proposals will also aim to future proof legislation in an age of rapid technological change and innovation, and the government will be looking for industry, academics and consumer groups to feed back on the plans.

Consumer smart products can be the weak points of entry for hackers looking to breach someone’s home network and owners are often unaware that the default passwords or outdated software which can come as standard on a new device can lead to a range of harms, including the invasion of privacy, fraud or even physical harm.

National Cyber Security Centre Technical Director Dr Ian Levy said:“People are at risk because fundamental security flaws in their connected devices are often not fixed – and manufacturers need to take this seriously.

“We would encourage all consumer device manufacturers to make their views heard and help us ensure the technology people bring into their homes is as safe and secure as possible.”

British Retail Consortium Assistant Director Graham Wynn said: “Internet of Things products are quickly growing in popularity but most people still do not realise the dangers to personal data from smart products that are insecure.

“We welcome practical proposals from the government based on the three rigorous requirements to ensure that consumers’ safety and privacy are protected.”