The UK Government has announced “groundbreaking” plans to protect consumers using smart devices from cyber attacks. As sales in smart devices soar (up 49% since the start of the coronavirus pandemic) cyber criminals become more adept at exploiting their security weaknesses. Many remain vulnerable to attack, and just one vulnerable device can jeopardise a whole network – illustrated by the now infamous 2017 North American casino attack, where an internet connected fish tank allowed hackers to steal data.
New law with security requirements
The Government has confirmed, in the response to its July 2020 consultation (see our blog on the consultation) that it is planning a new law to ensure that the majority of smart devices meet new requirements. It will prevent ‘relevant economic actors’ (manufacturers etc.) from making products available in the UK unless they comply with certain security requirements or alternatively with designated standards, and require them to publish a declaration of conformity. Wholesalers and retailers will also have a role to play.
The security requirements will align with international standards and, the Government states, will therefore be “familiar to all manufacturers and other relevant parties across the industry.” They have been derived from the top three guidelines from the Code of Practice for Consumer IoT and key provisions within ETSI European Standard (EN) 303 645 and will:
- ban manufacturers from using easily guessable universal default passwords, such as ‘password’ or ‘admin’, that are often present in a device’s factory settings
- require manufacturers to provide a public point of contact to make it simpler for anyone to report software bugs or vulnerabilities that can be exploited by hackers. Currently only one in five global manufacturers have a process in place to allow security researchers to report vulnerabilities; and
- ensure manufacturers say when smart devices (such as smart phones, speakers and doorbells) will stop receiving security software updates (and customers must be informed of this at the point of sale).
The rules may also be adapted if required as a result of a changing regulatory, technological or threat landscape.
What is in scope?
The regulation will apply to all consumer connected products (e.g. smart speakers, smart phones and connected doorbells) and their associated services (e.g. 3rd party apps that run on a device, such as Netflix on a smart TV). However, a number of devices, including laptops and tablets without cellular connection, will be exempt due to the specific circumstances of how they are constructed and secured. Again, however, the scope of this may be adjusted if required.
There will be an enforcement body equipped with powers to investigate allegations of non-compliance and to take steps to ensure compliance. However, who it will be and what powers it will have remains unclear. The Government response just states that it will have the power to issue corrective measures, sanctions and (potentially in the most serious cases) criminal proceedings.
What steps can you take now?
Timing on when the new rules will come into force remains unclear. The legislation will be introduced “when parliamentary time allows” and the Government has suggested that there will be a grace period to allow manufacturers and other relevant economic actors to adjust their business practices before non-compliance is actively enforced. However, it goes on to urge manufacturers that have not done so already to implement security measures in line with the intended requirements now, using available guidance such as the Consumer IoT Security Guidance and Oxford Information Labs, as necessary. The Government also previously published its own code of practice for consumer IoT security in 2018.