UK government introduces IoT security laws
- May 1, 2024
- Steve Rogerson
The UK has become the first country to introduce mandatory IoT security laws in a bid to protect consumers from cyber criminals.
From this week, regulations enforcing consumer protections against hacking and cyber-attacks will take effect, mandating that internet-connected smart devices meet minimum-security standards by law.
Manufacturers of products such as phones, TVs and smart doorbells are now required to implement minimum security standards against cyber threats. Consumers should benefit from banning of easily guessable default passwords.
Manufacturers will be legally required to protect consumers from hackers and cyber criminals from accessing devices with internet or network connectivity, from smartphones to games consoles and connected fridges, as the UK becomes the first country in the world to introduce these laws.
Under the regime, manufacturers will be banned from having weak, easily guessable default passwords such as ‘admin’ or ‘12345’ and if there is a common password the user will be prompted to change it on start-up.
This will help prevent threats such as the damaging Mirai attack in 2016 that saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US east coast without internet. Since then, similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers.
Recent figures show 99% of UK adults own at least one smart device and UK households own an average of nine connected devices. An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2684 attempts to guess weak default passwords on just five devices.
“As every-day life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater,” said Viscount Camrose, UK government minister for cyber. “Consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe. We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”
Data and digital infrastructure minister Julia Lopez added: “This marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected. Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.”
With 57% of households owning a smart TV, 53% owning a voice assistant and 49% owning a smart watch or fitness wristband, this regime reinforces the government’s commitments to addressing these threats to society and the economy head on.
The laws are coming into force as part of the Product Security & Telecommunications Infrastructure (PSTI) regime, which has been designed to improve the UK’s resilience from cyber-attacks and ensure malign interference does not impact the wider UK and global economy.
The measures will also introduce a series of improved security protections to tackle the threat of cyber-crime:
- Common or easily guessable passwords such as ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking
- Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with
- Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates
The UK government collaborated with industry leaders to introduce these protections, which also include manufacturers having to publish information on how to report security issues to increase the speed at which they can address these problems. In addition, consumers and cyber-security experts can play an active role in protecting themselves and society from cyber criminals by reporting any products which don’t comply to the Office for Product Safety & Standards (OPSS).
“The use and ownership of consumer products that can connect to the internet or a network is growing rapidly,” said OPSS chief executive Graham Russell. “UK consumers should be able to trust that these products are designed and built with security in mind, protecting them from the increasing cyber threats to connectable devices. As the UK’s product regulator, OPSS will be ensuring consumers can have that confidence by working with the industry to encourage innovation and compliance with these new laws.”
The government is beginning the legislative process for certain automotive vehicles to be exempt from the product security regulatory regime, as they will be covered by alternative legislation.
The new laws are part of the government’s £2.6bn National Cyber Strategy (www.gov.uk/government/publications/national-cyber-strategy-2022) to protect and promote the UK online.