Makers of smart devices including phones, speakers, and doorbells will need to tell customers upfront how long a product will be guaranteed to receive vital security updates under groundbreaking plans to protect people from cyber attacks.
New figures commissioned by the government show almost half (49%) of UK residents have purchased at least one smart device since the start of the coronavirus pandemic. These everyday products – such as smart watches, TVs and cameras – offer a huge range of benefits, yet many remain vulnerable to cyber attacks.
Just one vulnerable device can put a user’s network at risk. In 2017, attackers infamously succeeded in stealing data from a North American casino via an internet-connected fish tank. In extreme cases hostile groups have taken advantage of poor security features to access people’s webcams.
To counter this threat, the government is planning a new law to make sure virtually all smart devices meet new requirements:
- Customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates
- A ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often preset in a device’s factory settings and are easily guessable
- Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.
Smartphones are the latest product to be put in scope of the planned Secure By Design legislation, following a call for views on smart device cyber security the government has responded to today.
It comes after research from consumer group Which? found a third of people kept their last phone for four years, while some brands only offer security updates for a little over two years.
The government continues to urge people to follow NCSC guidance and change default passwords as well as regularly update apps and software to help protect their devices from cyber criminals.
Digital Infrastructure Minister Matt Warman said:
Security updates are a crucial tool for protecting people against cyber criminals trying to hack devices.
Yet research from University College London found none of the 270 smart products it assessed displayed information setting out the length of time the device would receive security updates at the point of sale or in the accompanying product paperwork.
By forcing tech firms to be upfront about when devices will no longer be supported, the law will help prevent users from unwittingly leaving themselves open to cyber threats by using an older device whose security could be outdated.
Just one in five global manufacturers have a mechanism in place to allow security researchers – firms and individuals who find security flaws in devices – to report vulnerabilities.
These moves have been supported by important tech associations across the globe including the Internet of Secure Things (IoXT), whose members include some of the world’s biggest tech companies including Google, Amazon and Facebook.
Brad Ree, CTO of the Internet of Secure Things (IoXT) Alliance, said:
The new law builds upon world-leading work the government has already done to boost the security of smart devices, including publishing a code of practice for device manufacturers to boost the security of their products in 2018.
Last month the Digital Secretary Oliver Dowden set out his ten tech priorities which included keeping the UK safe and secure online and the government published its groundbreaking Integrated Review of defence and security.
The government also played a vital role in developing the first major international standard for consumer device cyber security to help manufacturers protect consumers around the world from falling victim to cyber attacks.
This standard has been supported by the Cybersecurity Tech Accord (CTA), an industry association whose members include Arm, Microsoft and Dell, and has also been promoted in Australia, Singapore, Finland and India – demonstrating Britain’s global influence as a cyber power.
Three new voluntary assurance schemes have been launched recently to give shoppers confidence a smart product has been made cyber secure, thanks to a £400,000 government grant.
- The Stockport-based Internet of Toys Assurance Scheme will allow parents to know from the outset whether a smart toy they are buying their children has been tested and meets the minimum security requirements
- The Smart TV Cybersecurity Certification programme will provide third-party testing and give confidence to buyers of smart TV products by allowing approved devices to display a certification logo
- The IASME IoT Security Assured initiative will be open to start-ups and smaller companies to carry out verified cyber security self-assessment of their products to ensure they meet high standards.
National Cyber Security Centre Technical Director Dr Ian Levy said:
Annalaura Gallo, Head of the Cybersecurity Tech Accord secretariat, said:
John Moor, Managing Director of the Internet of Things Security Foundation, said:
Rocio Concha, Director of Policy and Advocacy at Which?, said:
The government say it intends to introduce legislation as soon as parliamentary time allows.