We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

New law proposed to help protect millions from unsecure smart devices

The UK government has introduced proposals to improve security for consumers, following half a decade of research by Which?

The government has introduced plans for legislation to improve the security standards of smart devices in the home, a welcome move that could help protect millions of users of internet connected devices. 

Which? has called the move a ‘critical first step’ towards safeguarding what are often poorly designed products that put user security and privacy at risk, and has worked closely with the DCMS – the Department of Culture, Media and Sport, since 2017 to help put these measures in place.

With sales of smart, connected devices on the rise – 420 million internet-connected smart devices are expected to be in UK homes by 2021, and over 75 billion globally by 2025, it is crucial that standards are put in place to prevent malicious parties from benefiting from a veritable boom in technology that requires access to potentially sensitive user data.

How the new law could protect consumers

The plans, drawn up by the DCMS, detail three specific security requirements that Internet of Things (IoT) devices must adhere to:

  • Internet connected, or ‘smart’ devices, must include secure and unique default passwords, that cannot be reset to any universal ‘factory settings’. This will help to ensure that a universal password default cannot be discovered by a hacker, who could potentially then gain access to hundreds, or even thousands, of devices.
  • Manufacturers of smart devices must be more accessible to both security researchers and customers, offering a public point of contact. This will allow users to report vulnerabilities, or have concerns addressed in a timely manner.
  • These same manufacturers must explicitly state the minimum amount of time security updates will be provided to their devices at the point of sale, whether this be in-store or online. This should allow consumers to make an informed purchasing decision about the lifetime of a secure IoT product.

The move follows the UK government’s voluntary code of practice – Secure by Design – which was launched for consumer IOT devices in 2018. Secure by Design is a code of practice that advocates for stronger security measures to be put in place on smart, connected devices at the design stage. It has been backed by tech companies like Centrica Hive, HP and most recently Panasonic.

Which? welcomes a ‘critical first step’

Which? has worked closely with the DCMS in recent years to raise awareness of security issues around smart devices and has long advocated the need for a more formal set of protocols to be put in place to protect consumers.

Caroline Normand, Which? Director of Advocacy, said:

‘Which?’s product testing has exposed serious security flaws with a number of products that fail the most basic of security tests – including wireless cameras and popular children’s smart toys – so regulation of mandatory security requirements must be a critical first step.

‘Strong enforcement will be essential, and manufacturers, online marketplaces and retailers must be held accountable in order to prevent security-risk products ending up in people’s homes.’

Which? research highlights flaws in smart devices

Over the past six years, Which? investigations into smart device security have highlighted the issues consumers face, as well as working closely with the manufacturers of these products to report issues and help them improve their own standards.

Back to top
Back to top