New law proposed to help protect millions from unsecure smart devices

The government has introduced plans for legislation to improve the security standards of smart devices in the home, a welcome move that could help protect millions of users of internet connected devices.

Which? has called the move a 'critical first step' towards safeguarding what are often poorly designed products that put user security and privacy at risk, and has worked closely with the DCMS - the Department of Culture, Media and Sport, since 2017 to help put these measures in place.

With sales of smart, connected devices on the rise - 420 million internet-connected smart devices are expected to be in UK homes by 2021, and over 75 billion globally by 2025, it is crucial that standards are put in place to prevent malicious parties from benefiting from a veritable boom in technology that requires access to potentially sensitive user data.

How the new law could protect consumers

The plans, drawn up by the DCMS, detail three specific security requirements that Internet of Things (IoT) devices must adhere to:

• Internet connected, or 'smart' devices, must include secure and unique default passwords, that cannot be reset to any universal 'factory settings'. This will help to ensure that a universal password default cannot be discovered by a hacker, who could potentially then gain access to hundreds, or even thousands, of devices.
• Manufacturers of smart devices must be more accessible to both security researchers and customers, offering a public point of contact. This will allow users to report vulnerabilities, or have concerns addressed in a timely manner.
• These same manufacturers must explicitly state the minimum amount of time security updates will be provided to their devices at the point of sale, whether this be in-store or online. This should allow consumers to make an informed purchasing decision about the lifetime of a secure IoT product.

The move follows the UK government's voluntary code of practice - Secure by Design - which was launched for consumer IOT devices in 2018. Secure by Design is a code of practice that advocates for stronger security measures to be put in place on smart, connected devices at the design stage. It has been backed by tech companies like Centrica Hive, HP and most recently Panasonic.

Which? welcomes a 'critical first step'

Which? has worked closely with the DCMS in recent years to raise awareness of security issues around smart devices and has long advocated the need for a more formal set of protocols to be put in place to protect consumers.

Caroline Normand, Which? Director of Advocacy, said:

'Which?'s product testing has exposed serious security flaws with a number of products that fail the most basic of security tests - including wireless cameras and popular children's smart toys - so regulation of mandatory security requirements must be a critical first step.

'Strong enforcement will be essential, and manufacturers, online marketplaces and retailers must be held accountable in order to prevent security-risk products ending up in people's homes.'

Which? research highlights flaws in smart devices

Over the past six years, Which? investigations into smart device security have highlighted the issues consumers face, as well as working closely with the manufacturers of these products to report issues and help them improve their own standards.

• In 2014 we asked 'is your TV watching you'?, exposing the potential vulnerabilities in smart TVs that may allow manufacturers to snoop on how you use the device in the home.
• A year later, a Which? probe discovered privacy concerns with the popular Hive thermostat, owned by British Gas. We discovered that the associated app was sharing data about usage patterns that could be intercepted by a third party. British Gas since updated its app following our report.
• A 2017 investigation into the 'hackable home' revealed how vulnerable smart devices, from CCTV cameras to cuddly toys, could leave your home open to hackers.
• In 2019 we exposed how cheap security cameras, widely available on websites like Amazon, contain critical security flaws, meaning they could easily allow a third party to spy on your home, or access your data.
• And late last year, in a follow-up to our 2017 investigation into smart toys, we revealed further flaws in these popular gifts, and called on the government again to bring an end to unsecure children's toys.