The new law announced today aims to ensure shoppers know how long products are supported with vital security updates before they buy.
With the popularity of smart devices on the rise, 57% of consumers reported increased use since the start of the pandemic.
87% of consumers think smart devices should have privacy and security features as standard.
Just 20% of consumers have previously checked to see if a new smart device has a default password which can make devices vulnerable to hacks.
Makers of smart devices, including phones, speakers, and doorbells (companies such as Apple, Samsung and Google) will need to tell customers up front how long a product will be guaranteed to receive vital security updates under groundbreaking plans to protect people from cyber attacks.
New figures commissioned by the government show that 49% of UK residents have purchased at least one smart device since the start of the coronavirus pandemic. Products such as smartwatches, TVs and cameras are used by consumers daily and offer many benefits, but many are still vulnerable to cyber-attacks.
Just one vulnerable device can put a user’s or business' network at risk. In 2017, cybercriminals could steal data from a North American casino via an internet-connected fish tank. In extreme cases, groups can take advantage of poor security features to gain access to webcams.
To counter this growing threat, the government's plan is to introduce this new law to make sure virtually all smart devices meet new requirements:
Customers must be informed at the point of sale of the duration of time for which a smart device will receive security software updates.
A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often present in a device’s factory settings and can be easily hacked.
Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a security vulnerability.
Smartphones are the latest product to be put in the scope of the planned Secure By Design legislation, following a call for views on smart device cyber security the government has responded to today.
Consumer group Which? Found that a third of people kept their last phone for four years, while some brands only offer security updates for two years.
The government urges people to follow NCSC guidance, change default passwords, and regularly update apps and software to help protect their devices from cybercriminals.
Ensuring that security updates are in place is crucial for protecting people and businesses against cybercriminals trying to hack devices. Learn more about cyber security with our Cyber Resilience Centre Membership today.
National Cyber Security Centre Technical Director Dr Ian Levy said:
"Consumers are increasingly reliant on connected products at work and at home. The Covid-19 pandemic has only accelerated this trend, and while manufacturers of these devices are improving security practices gradually, it is not yet good enough.
DCMS’ publication builds on the 2018 Code of Practice and ETSI EN 303 645 to clearly outline the industry's expectations. To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.
It is also important to support the uptake of good practices and provide the industry with opportunities to innovate. I’m pleased to see the pilots, funded by DCMS, begin to test ways in which customers can gain confidence in the security of these devices."
John Moor, Managing Director of the Internet of Things Security Foundation, said:
"We welcome this announcement as a necessary and considered development to make consumers safer. As an expert body, we welcome the clarity it brings for our manufacturing members both now and moving forwards.
The Internet of Things is constantly evolving, and security requirements must continue to keep pace. As such, the importance of vulnerability management and updating security software cannot be understated. In the words of one of our members: ‘Remember, if it ain’t secure, it ain’t smart’."
