Smartphones will be included in the scope of a planned “security by design” U.K. law aimed at beefing up the security practices long-associated with the Internet of Things (IoT). The government introduced a of practice for IoT device manufacturers in 2018 — but the forthcoming legislation is intended to build on that with a set of legally binding requirements., the government said today. It announced in its response to a consultation on legislative plans aimed at tackling some of the laxest
A draft law was aired by ministers in 2019 — with the government focused on IoT devices, such as webcams and baby monitors, which have often been associated with the most egregious device security practices. Its plan now is for virtually all smart devices to be covered by legally binding for just over two years. The forthcoming legislation will require smartphone and device makers like Apple and Samsung to inform customers of the time a device will receive at the point of sale.
It will also ban manufacturers from using universal default passwords (such as “password” or “admin”), which are often present in a device’s factory settings and easily guessable — making them meaningless in security terms. California already passed legislation banning such passwords in 2018, with the law. Under the incoming U.K. law, manufacturers will also be a public point of contact to simplify anyone to report a vulnerability. The government said it would introduce legislation as soon as parliamentary time allows.
Commenting in a statement, digital infrastructure minister Matt Warman added: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a significant number still run older software with holes in their security systems. “We are changing the law to ensure shoppers know how long products are supported with essential security harder to break into.
“The reforms, backed by, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.” A DCMS spokesman confirmed that the law or derivative products would not cover laptops, PCs, and tablets with no cellular connection. Although he added that the intention is for the scope to be adaptive to ensure the law can keep pace with new threats that may emerge around devices.