New U.K. Law to Enhance Security of Consumer Devices

The U.K. government has announced that smartphones will be included within the scope of a new “security by design” law. This legislation aims to significantly improve the security standards of consumer devices.

Addressing IoT Security Concerns

This announcement follows a consultation regarding legislative plans designed to address longstanding security vulnerabilities commonly found in Internet of Things (IoT) devices. A security code of practice for IoT manufacturers was initially introduced in 2018.

However, the upcoming legislation intends to reinforce these guidelines with legally enforceable requirements. Initial drafts, presented in 2019, primarily focused on devices like webcams and baby monitors, which have historically exhibited poor security practices.

Expanding Scope to All Smart Devices

The government now plans to extend legally binding security requirements to encompass nearly all smart devices. This decision is supported by research from “Which?” indicating that a substantial portion of consumers—approximately one-third—retain their phones for at least four years.

Conversely, some manufacturers only provide security updates for a little over two years. This discrepancy highlights a critical security gap.

Mandatory Update Information and Password Restrictions

The new law will mandate that companies such as Apple and Samsung disclose the duration of software update support to customers at the point of purchase. This will empower consumers to make informed decisions.

Furthermore, the legislation will prohibit the use of universal default passwords—like “password” or “admin”—which are frequently pre-set and easily compromised. California enacted a similar ban in 2018, with the law taking effect last year.

Vulnerability Reporting and Implementation

Manufacturers will also be obligated to establish a publicly accessible point of contact for reporting security vulnerabilities. This will streamline the process for individuals to report potential issues.

The government intends to introduce this legislation as soon as parliamentary schedules permit.

Ministerial Statement on Enhanced Security

Digital infrastructure minister Matt Warman stated that phones and smart devices represent a valuable target for hackers seeking to steal data. He emphasized that many devices still operate with outdated software containing security flaws.

Warman explained that the law change will ensure consumers are aware of the length of security support before purchasing a product. It will also make devices more resistant to intrusion by eliminating easily guessed default passwords.

He added that these reforms, supported by global tech associations, will disrupt criminal activity and contribute to a safer digital environment.

Scope of the Legislation

A DCMS spokesman clarified that laptops, PCs, and tablets without cellular connectivity will not be covered by this law. Secondhand products are also excluded.

However, the intention is to maintain an adaptable scope, ensuring the legislation can address emerging threats related to new devices as they arise.

• Key takeaway: The law aims to make devices more secure by requiring longer software support and banning default passwords.
• Impact: Consumers will have more information to make informed purchasing decisions.