The government has introduced a “new world-leading law” to ensure consumers are better protected from hackers on their phones, smart TVs, fitness trackers, tablets and other devices that connect to the internet.
Research has shown that as many as four in five manufacturers in the UK do not put in place appropriate security measures. Products capable of connecting the internet include things you may not immediately think of, such as speakers, thermostats, printers and toys. The law will prevent the sale of any such items in the UK that do not meet the required security standards.
The ownership of devices capable of connecting to the internet has risen massively in recent years, with an average of ten devices per household. Some forecasts suggest there could be up to 50 billion devices worldwide by the year 2030. An investigation by Which? found that the average home could be exposed to over 12,000 scanning or hacking attacks in a week.
The UK’s National Cyber Security Centre says that it dealt with 777 incidents in the last 12 months, which was an unprecedented number. They also report an increase in ransomware attacks and significant global incidents.
In 2017 data was stolen from a North American casino where the attackers gained access through an internet-connected fish tank, showing that the most innocuous items can be a security risk.
The Bill is called the Product Security and Telecommunications Infrastructure Bill, and it has been introduced to Parliament.
The law would allow the government to:
- ban universal default passwords;
- force firms to be transparent with customers about the action they are taking to fix security flaws;
- create a system for the public to report any vulnerabilities found in products;
The Bill would also mean faster and more reliable broadband could be rolled out quicker. This would be done by making it easier for operators to upgrade and share infrastructure. Quicker collaborative negotiations would be encouraged with landowners who would be hosting the equipment intending to reduce the occasions where court action is taken, holding up developments.
The Bill is in relation to connectable products, items that are capable of access to the internet. Such items include smartphones, smart TVs, baby monitors, security systems, voice-activated assistants and smart home appliances. Devices that connect to other devices but not directly to the internet are also included, for example, smart light bulbs and fitness trackers.
Second-hand products will not be included as this would be impractical, placing obligations on businesses and consumers that would outweigh the benefits. Desktops and laptops are served by an antivirus software market already and have security features, so they are not within scope.
A ban would be introduced on easy to guess or default passwords such as admin or 123456, preloaded on devices and targeted by hackers. All new devices will have to be provided with a unique password and not be capable of being restored to a universal factory setting.
Manufacturers would be required to tell customers about the minimum length of time that a product would receive security updates and patches at the point of sale. Alternatively, customers must be told if a product does not come with security updates. This would mean that customers would know when and if any items they bought would become vulnerable.
Manufacturers would also be required to provide a public point of contact to make it easier to report flaws and bugs in a product.
In-scope businesses will have a duty to investigate compliance failures and to produce records and statements of compliance.
The new regime will be overseen by a regulator who will have the power to impose financial penalties for non-compliance. The maximum fine will be £10 million or four per cent of global turnover, as well as up to £20,000 per day in an ongoing contravention.
The regulator will also be able to issue notices to companies requiring the recall of products, prohibiting the sale or supply of products, or requiring them to comply with security requirements.
How can we help?
We ensure we keep up to date with any changes in legislation and case law so that we are always best placed to advise you properly. If you would like to discuss any aspect of your case, please contact our Crime Team on 01743 248545 or firstname.lastname@example.org.
[Image: © Adrian Pingstone]