Consumer smart devices: spotlight on cyber security

From wearables to home appliances, internet-connected smart devices are rapidly changing the way we live. The average consumer may not be losing much sleep over the prospect of their shiny new digital companion being hacked, but recent UK government proposals suggest that legislative reform is needed to protect users of these devices from threats to their privacy and safety.

The Department for Digital, Culture, Media and Sport, together with the National Cyber Security Centre, recently issued a policy paper and call for views seeking industry comments on proposals for enhanced security standards for consumer smart devices sold in the UK. In an attempt to “establish a consistent, future-proofed cyber security baseline”, the proposals cover traditional connected devices such as smartphones, laptops and PCs in addition to more innovative Internet of Things (IoT) products. The deadline for responses is 6 September 2020.

According to the policy paper, smart devices are frequently a weak link in home networks, creating vulnerabilities that can be exploited by cyber criminals. Users may assume these devices are “safe by default”, but the prevalence of standard factory-set passwords and outdated software suggests that many manufacturers are failing to incorporate even basic cyber security precautions into their products.

The measures on which views are invited include three core security requirements aligned with the recently issued European Standard (EN) 303 645 v2.1.1 on IoT Cyber Security, namely:

1. a ban on universal default passwords in consumer smart devices;

2. implementation of clear and accessible mechanisms for reporting security vulnerabilities to manufacturers; and

3. transparency as to the minimum period of time for which consumer smart devices will receive security updates.

In line with the UK’s existing product safety regime, “producers” (including manufacturers and importers) would be prohibited from supplying smart devices in the UK unless the security requirements are satisfied, while “distributors” (including retailers and online marketplaces) would have a duty of care to ensure that the products they make available meet the same standards. The indicative penalties and corrective measures range from compliance notices to suspension of sales and fines.

The call for views forms part of a broader focus on enhancing protections around IoT at both UK and EU level. The UK government published its Code of Practice for IoT Security in October 2018 and a consultation response on this subject in January 2020. In addition, the European Commission has recently launched a sector inquiry into the competition law implications of smart devices.

These initiatives are a timely reminder that, as innovative and life-changing as smart devices may be, neither consumers nor manufacturers can afford to be complacent about the challenges they pose.