By Lucy Hooker
Business reporter, BBC News
Manufacturers will have to follow stricter rules if they want to sell “smart” gadgets in the UK after a new law came into effect.
It is designed to ensure there is better security around devices such as baby monitors, televisions and speakers that are linked to the internet.
These gadgets can pose a risk because cyber-criminals use them to hack into home networks and steal private data.
The government said the new law should give consumers “peace of mind”.
The risks have ballooned in recent years as our houses have filled with more and more web-linked devices – from games consoles to fitness trackers, doorbells and even dishwashers – also sometimes referred to as the “internet of things”.
Until now, manufacturers were expected to follow security guidelines, but the new law makes three new requirements:
- that password procedures are more secure, including ensuring any set by the manufacturer are not left blank or using easy-to-guess choices like “12345” or “admin”
- that there is clarity around how to report “bugs” or security problems that arise
- that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying
Failure to meet these minimum requirements, known as the Product Security and Telecommunications Infrastructure (PSTI) regime, can trigger fines.
The government said the laws were a “world first” that would protect UK consumers and businesses and boost the country’s resilience against cybercrime.
The Department for Science Innovation and Technology (DSIT) said more than half of UK households now had a smart TV and more than half had a voice assistant such as Alexa. It said homes contained an average of nine connected devices.
As well as basic broadband routers, that can include toys that are linked to the web, or home appliances such as radiators, ovens and fridges that can be controlled remotely.
However, since their adoption there has also been a proliferation of reports of hackers taking over such devices to misuse them, sometimes filming or recording covertly, spying on people, or stealing personal data.
Sarah Lyons, from the National Cyber Security Centre, said firms making the products needed to take responsibility.
“Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks and this landmark Act will help consumers to make informed decisions about the security of products they buy,” she said.
Ken Munro a security researcher for Pen Test Partners, a firm that carries out ethical hacking against smart devices, described the new law as “a step in the right direction”.
“It’s got teeth, which I love,” he said.
Previously it has been too easy for manufacturers to end support for older products as they rolled out new models, he said, and it would be useful for consumers to be able to compare how many years of support were promised for the product they are purchasing.
A longer support period suggested a manufacturer that was generally taking cyber-security seriously, he said.
“I think some device manufacturers at the bottom of the market might pay lip-service and do the bare minimum to make their products secure,” he said.
Rocio Concha, director of policy and advocacy at consumer group Which? said the new law would give consumers “vital protections”.
But the Office for Product Safety and Standards should be prepared to “take strong enforcement action against manufacturers if they flout the law” he added.