We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

24 Nov 2021

UK government announces crackdown on insecure products

The move follows many Which? investigations highlighting smart products on sale that put your privacy and security at risk

Smart products including TVs, smartphones, speakers and toys will have to be sold with basic security protections against hackers under a new law announced by the government.

The law - called the Product Security and Telecommunications (PSTI) bill - will aim to prevent the sale of insecure connected consumer products in the UK, and includes fines of up to £10m for manufacturers, importers and distributors that fail to comply with the requirements.

A recent Which? investigation discovered how online marketplaces could be flooded with insecure products.

Video: how hackers target your smart home devices

Smart devices booming, and so are security threats

We are all buying more smart products, with the average UK household now having more than nine connected devices.

Despite consumers largely assuming that any connected products on sale are secure, just one in five manufacturers apply basic security requirements for their connected products, according to government research.

Cybercriminals are increasingly targeting our smart devices for purposes of fraud, surveillance and other malicious purposes.

In July 2021, we filled a home with smart devices and it was bombarded with more than 12,000 hacking or unknown scanning attacks in a single week. This included a camera that was successfully hacked using a default password and the video feed accessed to spy on us.

New rules governing passwords, updates and disclosure

While products must comply with a range of rules to prevent them from causing physical harm to your safety, similar requirements are not place to protect you from security or privacy threats

The PSTI bill has three core measures designed to increase security standards, including;

  • Default passwords: As we found in July, smart products with weak default passwords, such as 'admin', can be easily hacked. Under the new legislation all devices will have to ship with unique passwords that cannot be reset to any universal factory setting.
  • Vulnerability disclosure: All manufacturers must have a clear point of contact so that security researchers or campaign groups, such as Which?, can report any vulnerabilities found with their products.
  • Software updates: Updates are vital as they enable companies to fix security vulnerabilities and generally maintain the products you buy over a longer period of time. Now, manufactuers will have inform you about the minimum amount of time that a product will receive vital security updates when you are considering buying it.

A new regulator will be appointed to oversee the new rules, and have the power to fine companies for non-compliance up to £10 million or four per cent of their global turnover.

Alongside product manufacturers, the rules also apply to store and online retailers, which could be forbidden from selling products to UK customers unless they meet the required security standards and pass on important information, such as about software updates, to consumers

What's in scope of the new law?

The Bill applies to all connected products that can access the internet to function, including smartphones, smart TVs, security cameras, baby monitors and more.

It also applies to smart devices that don't directly connect to the internet, but possibly use a hub or bridge to get online, such as a smart light bulb or wearable fitness tracker.

Exempt from the law are laptop and desktop computers, as they have various options for malware and virus protection, along with connected cars, smart meters, electrical vehicle charging points and medical devices.

The government has also said it will not regulate the security of second hand smart devices currently, but the Bill gives ministers the power to extend to scope at a later date to include this.

Minister for Media, Data and Digital Infrastructure Julia Lopez said: 'Every day hackers are making attempts to worm their way into our smart devices. Most of us assume if it's for sale, it's safe. Yet many are not, which has caused countless lives to be ruined by fraud and theft.

'Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers and doorbells, and see huge fines for those who fall foul of tough new security standards.'

Rocio Concha, Which? Director of Policy and Advocacy, said: 'Which? has worked with successive governments on how to crack down on a flood of poorly-designed and insecure products that leave consumers vulnerable to cyber-criminals - so it is positive that this Bill is being introduced to parliament.

'The government needs to ensure these new laws apply to online marketplaces, where Which? has frequently found security-risk products being sold at scale, to prevent people from buying smart devices that leave them exposed to scams and data breaches.'

Use our free security tools to find out how long devices like mobile phones, laptops and routers will continue to receive important security updates.