UK’s IoT ‘security by design’ law will cover smartphones too
Smartphones will be included in the scope of a planned “security by design” U.K. law aimed at beefing up the security of consumer devices, the government said today.
It made the announcement in its response to a consultation on legislative plans aimed at tackling some of the most lax security practices long-associated with the Internet of Things (IoT).
The government introduced a security code of practice for IoT device manufacturers back in 2018 — but the forthcoming legislation is intended to build on that with a set of legally binding requirements.
A draft law was aired by ministers in 2019 — with the government focused on IoT devices, such as webcams and baby monitors, which have often been associated with the most egregious device security practices.
Its plan now is for virtually all smart devices to be covered by legally binding security requirements, with the government pointing to research from consumer group “Which?” that found that a third of people kept their last phone for four years, while some brands only offer security updates for just over two years.
The forthcoming legislation will require smartphone and device makers like Apple and Samsung to inform customers of the duration of time for which a device will receive software updates at the point of sale.
It will also ban manufacturers from using universal default passwords (such as “password” or “admin”), which are often preset in a device’s factory settings and easily guessable — making them meaningless in security terms.
California already passed legislation banning such passwords in 2018 with the law coming into force last year.
Under the incoming U.K. law, manufacturers will additionally be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.
The government said it will introduce legislation as soon as parliamentary time allows.
Commenting in a statement, digital infrastructure minister Matt Warman added: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems.
“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.
“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”
A DCMS spokesman confirmed that laptops, PCs and tablets with no cellular connection will not be covered by the law, nor will secondhand products. Although he added that the intention is for the scope to be adaptive, to ensure the law can keep pace with new threats that may emerge around devices.