New laws introduced this week will protect consumers from attacks by hackers on their phones, tablets, smart TVs, fitness trackers and other internet-connectable devices.
Manufacturers, importers and distributors of digital tech now need to meet new cyber security standards – with fines for those who fail to comply.
The Product Security and Telecommunications Infrastructure Bill (PSTI) allows the government to ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products, and create a better public reporting system for vulnerabilities found in those products.
Julia Lopez, minister for media, data and digital infrastructure, said: “Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft.
“Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
According to government figures, each household owns an average of nine connected tech products. People overwhelmingly assume these products are secure, but only one in five manufacturers have appropriate security measures in place for their connectable products.
Cyber criminals are increasingly targeting these products. A recent investigation by Which? found a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
In the first half of 2021, there were 1.5 billion attempted compromises of Internet of Things (IoT) devices, double the 2020 figure. The UK’s National Cyber Security Centre last week said it had dealt with an unprecedented number of cyber incidents over the past year.
Up until yesterday the makers of digital tech products only needed to comply with rules to stop devices causing people physical harm from issues such as overheating, sharp components or electric shock. But there was no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data.
The new rules include a ban on easy-to-guess default passports and a requirement for connectable product manufacturers to tell customers at the point of sale, and keep them updated, about the minimum amount of time a product will receive vital security updates and patches.
The laws also require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products.
Firms that break the rules can be fined up to £10m for non-compliance, as well as up to £20,000 a day in the case of an ongoing contravention.
Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass important information about security updates on to customers.
The new law applies to ‘connectable’ products, which includes all devices that can access the internet – such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges.
It also applies to products that can connect to multiple other devices but not directly to the internet. Examples include smart light bulbs, smart thermostats and wearable fitness trackers.