Smartphones will be included in the scope of a planned “security by design” U.K. law aimed at beefing up the security of consumer devices, the government said today. It announced in its response to a consultation on legislative plans aimed at tackling some of the laxest security practices long-associated with the Internet of Things (IoT). The government introduced a security code of practice for IoT device manufacturers in 2018 — but the forthcoming legislation is intended to build on that with a set of legally binding requirements.
A draft law was aired by ministers in 2019 — with the government focused on IoT devices, such as webcams and baby monitors, which have often been associated with the most egregious device security practices. Its plan now is for virtually all smart devices to be covered by legally binding security requirements, with the government pointing to research from consumer group “Which?” that found that a third of people kept their last phone for four years, while some brands only offer security updates for just over two years. The forthcoming legislation will require smartphone and device makers like Apple and Samsung to inform customers of the time a device will receive software updates at the point of sale.
It will also ban manufacturers from using universal default passwords (such as “password” or “admin”), which are often present in a device’s factory settings and easily guessable — making them meaningless in security terms. California already passed legislation banning such passwords in 2018, with the law coming into force last year. Under the incoming U.K. law, manufacturers will also be required to provide a public point of contact to simplify anyone to report a vulnerability. The government said it would introduce legislation as soon as parliamentary time allows.
Commenting in a statement, digital infrastructure minister Matt Warman added: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a significant number still run older software with holes in their security systems. “We are changing the law to ensure shoppers know how long products are supported with essential security updates before they buy. By banning easily guessable default passwords, we are making devices harder to break into.
“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.” A DCMS spokesman confirmed that the law or derivative products would not cover laptops, PCs, and tablets with no cellular connection. Although he added that the intention is for the scope to be adaptive to ensure the law can keep pace with new threats that may emerge around devices.
