The UK Government has launched a new proposal to intorduce laws to govern the security aspects of internet connected consumer products and appliances (aka IoT devices). The proposed law is supposed to mandate a baseline of security requirements that all product manufacturers should adhere to and incorproate into their products.
The absolute minimum requirements which the newly proposed law will mandate are:
- IoT device passwords must be unique and not resettable to any universal factory setting;
- Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy;
- Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.
The law will mandate retailers “to not sell any products that do not adhere to the top three security requirements of the Code.”
“Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk,” said Digital Minister Margot James. “Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.”
The proposed law will also introduce a labelling scheme. The label would tell consumers how secure their products such as ‘smart’ TVs, toys and appliances are.
Following a period of government/public consultation on the new law the labelling scheme will initially be launched as a voluntary scheme to help consumers identify products that have basic security features and those that don’t.
Click the button below to read more.