New government legislation has been introduced to protect people’s smart devices from being hacked.
The Product Security and Telecommunications Infrastructure Bill will give ministers new powers to bring in tougher security standards for device makers, including:
- Banning of easy-to-guess default passwords preloaded on devices. All products now need unique passwords that cannot be reset to factory default.
- Informing customers when they buy a device the minimum time it will receive vital security updates. If a product doesn’t come with security updates, this must also be disclosed.
- Security researchers will be given a public point of contact to point out flaws and bugs.
The rules will apply not just to the makers of digital products, but also to businesses which sell cheap tech imports in the UK, such as smartphones, routers, security cameras, games consoles, home speakers and internet-enabled white goods and toys. Vehicles, smart meters, medical devices, and desktop and laptop computers are not, however, covered by the Bill.
This new cyber security regime will be overseen by a regulator, and will have the power to fine companies for non-compliance up to £10 million or 4 % of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
The regulator will also be able to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. As new threats emerge or standards develop, ministers will also have the power to mandate further security requirements for companies to follow via secondary legislation.
It is estimated that the average UK household has around nine linked devices, as the use of connected products has dramatically increased. Forecasts now suggest there could be up to 50 billion worldwide by 2030. People overwhelmingly assume these products are secure, but only one in five manufacturers have appropriate security measures in place for their connectable products.
Cyber criminals are increasingly targeting these products. A recent investigation by Which? found a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
Currently the makers of digital tech products must comply with rules to stop them causing people physical harm from issues such as overheating, sharp components or electric shock. But there is no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data.
Rocio Concha, Which? Director of Policy and Advocacy, said:
“Which? has worked with successive governments on how to crack down on a flood of poorly-designed and insecure products that leave consumers vulnerable to cyber-criminals – so it is positive that this Bill is being introduced to parliament. The government needs to ensure these new laws apply to online marketplaces, where Which? has frequently found security-risk products being sold at scale, to prevent people from buying smart devices that leave them exposed to scams and data breaches.”
Julia Lopez, Minister for Media, Data and Digital Infrastructure, said:
“Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft. Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
NCSC Technical Director Dr Ian Levy, said:
“I am delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security. The requirements this bill introduces – which were developed jointly by DCMS and the NCSC with industry consultation – mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.“