The UK Govt. seeks to ban universal default passwords, force companies to be more transparent about fixing security flaws & introduce big fines for failure to comply.
The Product Security & Telecommunications Infrastructure Bill, introduced to the UK Parliament, is drafted to better protect consumers from attacks by malicious hackers on their phones, tablets, smart TVs, fitness trackers, & other internet of things (IoT) devices.
“Everyday hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it is safe & secure. Yet many are not, putting too many of us at risk of fraud & theft.
Our Bill will put a firewall around everyday tech from phones & thermostats to dishwashers, baby monitors & doorbells, & see huge fines for those who fall foul of tough new security standards,” Minister for Media, Data & Digital Infrastructure Julia Lopez is explained in a press release.
The Bill applies to products that can access the internet, e.g. game consoles, security cameras, alarm systems, baby monitors, & many others.
The Govt. intends to exempt products, such as vehicles, smart meters, electric vehicle charging points, & medical devices, as they would become subject to double regulation, which would not lead to increased security.
Desktop & laptop computers are also not in scope as they are “served by a mature antivirus software market, unlike smart speakers & other emerging consumer tech.”
A new law will require manufacturers, importers, & distributors to meet new cyber-security standards.
It will allow the Govt. to ban universal default passwords, force companies to be more transparent with consumers about vulnerabilities & patches & create a better public reporting system for flaws discovered in various products.
States the press release, on average, there are 9 connected tech products in every household.
Consumers wrongfully assume they are safe, when in fact, recent research by Which? found that a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
New Law Proposals:
- A ban on easy-to-guess default passports that come preloaded on devices – such as ‘password’ or ‘admin’ – which are a target for hackers. All passwords that come with new devices will need to be unique & not resettable to any universal factory setting.
- A requirement for connectable product manufacturers to tell customers at the point of sale & keep them updated about the minimum amount of time a product will receive vital security updates & patches. If a product does not come with security updates, that must be disclosed.
This will increase people’s awareness about when the products they buy could become vulnerable so they can make better-informed purchasing decisions. Nearly 80% of these firms do not have any such system in place.
- New rules that require manufacturers to provide a public point of contact to make it simpler for security researchers & others to report when they discover flaws & bugs in products.
Companies that will not abide by the law could face a fine of up to £10m or 4% of their global turnover, as well as up to £20k a day in the case of an ongoing contravention.
The new law will apply to manufacturers, physical shops, & online retailers, who will be forbidden from selling products to UK customers unless they meet the security requirements & will be required to pass essential information about security updates on to customers.