The UK government wants to legislate for better IoT security. After a period of consultation, it wants rules that ensure
- All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
- Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online
The sale of connected devices is on the rise. Research suggests there will be 75 billion internet connected devices, such as televisions, cameras, home assistants and their associated services, in homes around the world by the end of 2025, it says.
Digital Minister Matt Warman says that the plans, drawn up by the Department for Digital, Culture, Media and Sport (DCMS), will make sure all consumer smart devices sold in the UK adhere to the three rigorous security requirements for the Internet of Things (IoT).
"UK should be the safest place to be online with pro-innovation regulation that breeds confidence in modern technology. Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought."
The measures were developed in conjunction with the business industry and the National Cyber Security Centre and set a new standard for best practice requirements for companies that manufacture and sell consumer smart devices or products.
Following on from the consultation, Government’s ambition is to further develop legislation that effectively protects consumers, is implementable by industry and supports the long term growth of the IoT. Government aims to deliver this legislation as soon as possible.