The new law announced today aims to ensure shoppers know how long products are supported with vital security updates before they buy.
With the popularity of smart devices on the rise, 57% of consumers reporting an increase in their use since the start of the pandemic.
87% of consumers think smart devices should come with privacy and security features as standard.
Just 20% of consumers have previously checked to see if a new smart device has a default password which can make devices vulnerable to hacks.
Makers of smart devices including phones, speakers, and doorbells (companies such as Apple, Samsung and Google) will need to tell customers up front how long a product will be guaranteed to receive vital security updates under groundbreaking plans to protect people from cyber attacks.
New figures commissioned by the government show that 49% of UK residents have purchased at least one smart device since the start of the coronavirus pandemic. Products such as smartwatches, TVs and cameras are used by consumers every day and offer a huge range of benefits, but many are still vulnerable to cyber attacks.
Just one vulnerable device can put a user’s or business' network at risk. In 2017, cybercriminals were able to steal data from a North American casino via an internet-connected fish tank. In extreme cases, groups can take advantage of poor security features to gain access to webcams.
To counter this growing threat, the government's plan is to introduce this new law to make sure virtually all smart devices meet new requirements:
Customers must be informed at the point of sale of the duration of time for which a smart device will receive security software updates.
A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often preset in a device’s factory settings and can be easily hacked.
Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a security vulnerability.
Smartphones are the latest product to be put in the scope of the planned Secure By Design legislation, following a call for views on smart device cyber security the government has responded to today.
Consumer group Which? found that a third of people kept their last phone for four years, while some brands only offer security updates for two years.
The government continues to urge people to follow NCSC guidance and change default passwords as well as regularly update apps and software to help protect their devices from cybercriminals.
Ensuring that security updates are in place, are a crucial tool for protecting people and businesses against cybercriminals trying to hack devices. Learn more about cyber security with our Cyber Resilience Centre Membership, learn more today.
National Cyber Security Centre Technical Director Dr Ian Levy said:
"Consumers are increasingly reliant on connected products at work and at home. The Covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough.
DCMS’ publication builds on the 2018 Code of Practice and ETSI EN 303 645 to clearly outline the expectations on industry. To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.
It is also important to support uptake of good practice and provide industry with opportunities to innovate. I’m pleased to see the pilots, funded by DCMS, begin to test ways in which customers will be able to gain confidence in the security of these devices."
John Moor, Managing Director of the Internet of Things Security Foundation, said:
"We welcome this announcement as a necessary and considered development to make consumers safer. As an expert body, we welcome the clarity it brings for our manufacturing members both now and moving forwards.
The Internet of Things is constantly evolving and security requirements must continue to keep pace. As such, the importance of vulnerability management and updating security software cannot be understated. In the words of one of our members: ‘remember, if it ain’t secure, it ain’t smart’."