New regulations came into force on 29 April requiring that internet-connected smart devices meet minimum-security standards.
Why is this needed? Well, an investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.
The laws are coming into force as part of the Product Security and Telecommunications Infrastructure regime, which has been designed to improve the UK’s resilience from cyber-attacks and aims to ensure malign interference does not affect the wider UK and global economy.
Manufacturers will be legally required to protect consumers from hackers and cyber criminals from accessing devices with internet or network connectivity - from smartphones to games consoles and connected fridges. It appears to that the UK is the first country to introduce these laws.
The new measures introduce a series of improved security protections to tackle the threat of cyber-crime:
- Common or easily guessable passwords like ‘admin’ or ‘12345’ will be banned to prevent vulnerabilities and hacking
- Manufacturers will have to publish contact details so bugs and issues can be reported and dealt with
- Manufacturers and retailers will have to be open with consumers on the minimum time they can expect to receive important security updates
If you don't comply, the maximum penalty at £10 million or 4% of the company’s worldwide revenue. For more information, see our previous article.
The government is beginning the legislative process for certain automotive vehicles to be exempt from the product security regulatory regime, as they will be covered by alternative legislation.
The Department for Science, Innovation and Technology (DSIT) has laid the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024 to provide for the exceptions.
The draft regulations also clarify that where a manufacturer of relevant connectable products extends the minimum length of time for which security updates relating to such products will be provided, the new minimum length of time must be published as soon as is practicable.