UK rolls out new consumer safeguards for smart devices
From today all new internet connected smart devices sold in the UK will be required by law to meet minimum-security standards.
The UK becomes the first country in the world to legally require manufacturers to protect consumers from hackers and cyber criminals accessing devices with internet or network connectivity.
Under the new rules manufacturers will be banned from having weak, easily guessable default passwords like 'admin' or '12345' and if there is a common password the user will be promoted to change it on start-up.
Data and Digital Infrastructure Minister Julia Lopez says:
Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected.
Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.
The laws come into force as part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy. As well as banning easily guessable default passwords, manufacturers will be required to publish contact details so bugs and issues can be reported and dealt with. They will also have to be open with consumers on the minimum time they can expect to receive important security updates.
Industry figures have welcomed the move. "It's refreshing to see a move towards mandating stronger built-in security measures and a fundamental move that shifts some of the onus of security from consumers, who might not be cyber-savvy, back onto the manufacturers," says Javvad Malik, lead security awareness advocate at KnowBe4. "Manufacturers will need to ensure their devices can’t just be hijacked by anyone with a list of default passwords, as we saw with the case of the Mirai botnet."
Mayur Upadhyaya, CEO of APIContext, says, "The new UK law requiring stronger security for smart devices, including eliminating weak passwords, is a welcome step forward for consumer cybersecurity. This forces manufacturers to prioritize security from the outset, significantly reducing the risk of unauthorized access and cyberattacks. Consumers benefit from a baseline level of protection 'out of the box,' while manufacturers may see long-term gains in consumer trust and sales."
You can find out more about the new rules in a point of sale leaflet issued by the National Cyber Security Centre.
Image credit: 3dmentat/depositphotos.com