Default passwords for internet-connected devices will be banned, and firms which do not comply will face huge fines.
In 2017, for example, hackers stole data from a US casino via an internet-connected fish tank. There have also been reports of people accessing home webcams and speaking to family members.
While there are strict rules about protecting people from physical harm – such as overheating, sharp components or electric shocks – there are no such rules for cyber-breaches.
The new regime
The Product Security and Telecommunications Infrastructure Bill lays out three new rules:
- easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default
- customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn’t get either, that must also be disclosed
- security researchers will be given a public point of contact to point out flaws and bugs
The new regime will be overseen by a regulator, which will be appointed once the bill comes into force. It will have the power to fine companies up to £10m or 4% of their global turnover, as well as up to £20,000 a day for ongoing contraventions.
Included within its scope are a range of devices, from smartphones, routers, security cameras, games consoles, home speakers and internet-enabled white goods and toys.
But it does not include vehicles, smart meters and medical devices. Desktop and laptop computers are also not in its remit.
The first step
One expert said that it was an important “first step”.
Cyber-criminals are increasingly targeting products from phones and smart TVs, to home speakers and internet-connected dishwashers. Hackers who can access one vulnerable device can then go on to access entire home networks and steal personal data.
Ken Munro, from security firm Pen Test Partners, has highlighted many vulnerabilities in internet-connected devices. He told the BBC that the legislation was “a big step in the right direction”.
“However. it’s important that government acknowledges that this is just the first step. These laws will need continual improvement to address more complex security issues in smart devices,” he said.
A separate piece of legislation which got Royal Assent last week – the Telecommunications (Security) Act – will give Ofcom new powers to monitor the security of telecoms networks. Fines of up to 10% of turnover or £100,000 a day can be issued for those that fail to meet standards.
The government described it as “a significant step” to protect the UK from hostile activity from both state actors or criminals.