The UK Government is to introduce legislation that, it says, will impose three rigorous security requirements on all consumer IoT devices.
Specifically these are:
- All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting;
- Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and they will be required to act on the information in a timely manner;
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online.
Legislation has yet to be drafted. The decision is spelt out in the Government’s response to a consultation on regulatory proposals on consumer IoT security and follows plans for legislation announced in May 2019.
The consultation, which ran from May to June 2019, set out the need to restore transparency in the market, particularly between manufacturers and consumers by ensuring information about what security requirements are built into products is more clearly communicated.
The UK already has in place a voluntary code of practice for consumer IoT devices, but the minister for digital and broadband, Matt Warman, said decisive action was needed to ensure that strong cyber security is built into consumer IoT products by design.
“Citizens’ privacy and safety must not be put at risk because some manufacturers will not take responsibility for ensuring that security is built into their products before they reach UK consumers,” he said.
Steps to legislation
To develop the legislation the government says it will conduct further stakeholder engagement to develop its regulatory options based on the top three guidelines in the existing voluntary Code of Practice and the ETSI TS 103 645 standard. This standard was issued in February 2019 and billed as the first globally applicable standard for consumer IoT security.
In the interim the UK government says it will be embedding and encouraging the adoption of the ETSI TS 103 645 standard and working on greater transparency.
It will also undertake further work to determine the most appropriate way to communicate security information to consumers.
“This will involve examining an alternative option to the labelling scheme whereby retailers would be responsible for providing information to the consumer at the point of sale (both online and in stores) … because we want to ensure that those who manufacture, develop and stock IoT devices are clear and transparent with those that purchase them, sharing important information about the cyber security of these devices,” the government said.
