Government seeks to boost security of smart products

The government has published new proposals for a new law that will help protect millions of smart device users from cyber criminals.

Drawn up by the Department for Digital, Culture, Media and Sport and supported by the National Cyber Security Centre, the proposals detail the government’s plans to raise the security standard for all consumer smart products sold in the UK.

Firstly they will have to adhere to three important requirements, which may be expanded on over time in consultation with stakeholders. The three requirements are: device passwords must be unique and not resettable to any universal factory setting; manufacturers must provide a public point of contact so anyone can report a vulnerability; and information stating the minimum length of time for which the device will receive security updates must be provided to customers.

Research suggests there are now 20 billion smart devices - known as the Internet of Things (IoT) - in use around the world. But with only around 13 per cent of manufacturers embedding even the most basic approaches to cyber security in their products, people’s privacy and security is at risk.

Insecure smart devices enable more widespread and destabilising cyber attacks on infrastructure and services. In the 2016 Mirai botnet attack, hackers gained access to thousands of IoT products through common default passwords to launch an attack that overwhelmed servers leaving much of the internet inaccessible on the US east coast.

Digital Infrastructure Minister Matt Warman said: “This is a significant step forward in our plans to help make sure smart products are secure and people’s privacy is protected. I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products. People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber criminals.”

Dr Ian Levy, Technical Director at the NCSC, said: “People are at risk because fundamental security flaws in their connected devices are often not fixed – and manufacturers need to take this seriously. We would encourage all consumer device manufacturers to make their views heard and help us ensure the technology people bring into their homes is as safe and secure as possible.”