So-called smart products are increasingly used by consumers such as smart speakers, kitchen appliances or cameras. Concerns have been raised that cyber-attackers can easily hack products and steal personal data, spy on users and at times take control of the products remotely. This can involve hijacking the devices to stage follow-up attacks, as part of what is known as a "botnet".
In the 2016 Mirai botnet attack, hackers gained access to thousands of smart products through common default passwords to launch an attack that overwhelmed servers leaving much of the internet inaccessible on the US east coast.
The DCMS has now published a call for evidence setting out the UK government’s plans for improving the cyber security of consumer smart products sold in the UK. The DCMS says that the desired outcome of these proposals is that no product within scope should be supplied or made available to consumers on the UK market, if it does not comply with three security requirements.
The three requirements are:
- Device passwords must be unique and not resettable to any universal factory setting;
- Manufacturers must provide a public point of contact so anyone can report a vulnerability;
- Information stating the minimum length of time for which the device will receive security updates must be provided to customers.
Certain products will be excluded, such as smart meters, autonomous vehicles and medical devices.
The call for views also sets out the scope of the rules, what industry will need to do to comply with the new laws and an overview of industry guidance to be produced, as well as information on potential powers granted to the enforcement body. These could include powers to:
- Temporarily ban the supply or sale of the product while tests are undertaken;
- Permanently ban insecure products, if a breach of the regulations is identified;
- Serve a recall notice, compelling manufacturers or retailers to take steps to organise the return of the insecure product from consumers;
- Apply to the court for an order for the confiscation or destruction of a dangerous product; Issue a penalty notice imposing a fine directly on a business.
The call for evidence closes on 6 September 2020.
Device passwords must be unique and not resettable to any universal factory setting