UK Government Pressing Ahead with New IoT Law Amid Pandemic Smart Device Surge

The UK government is pushing forward with legislation that imposes new security obligations on the manufacturers of Internet of Things (IoT) devices, the Department of Digital, Media and Sport (DCMS) has announced today.

The announcement has come amid growing use of IoT devices, with the UK government highlighting figures from the end of last year showing that almost half (49%) of UK residents have purchased at least one smart device since the start of the COVID-19 pandemic. There have been numerous security concerns with these devices in recent years, which need to be addressed to keep consumers and businesses safe.

Smartphones will now be in scope of the secure by design legislation, with the government pointing to recent research by Which? that found that although a third of people kept their last phone for four years, while some brands only offer security updates for a little over two years.

Among the provisions of the law, makers of smart devices such as phones, speakers and doorbells will be required to inform customers how long a product will be guaranteed to receive security software updates. Manufacturers will also be banned from using universal default passwords that are easily guessable like ‘password’ or ‘admin’ in a device’s factory settings.

Additionally, they will be obliged to provide a public point of contact to make it easier for anyone to report a vulnerability.

The laws were initially proposed at the start of last year, which built on a non-binding code of practice introduced in 2018.

The government added it will introduce the legislation as soon as parliamentary time allows.

Digital Infrastructure Minister Matt Warman said: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems.

“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.

“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”

Yesterday, the open industry alliance, FIDO, announced the development of a new standard to help onboard IoT devices quickly and securely.

What’s Hot on Infosecurity Magazine?