UK Smart Device Security Law
The UK Product Security and Telecommunications Infrastructure (Product Security) regime will come into force on 29th April 2024. This aims to improve security software and default settings on Internet connected devices to protect their user’s from hackers.
New regulations will include:
- Banning universal default and easily guessable default passwords.
- Providing transparent information on how long products will receive security updates for.
- Making customers aware of a product’s security update support period before allowing purchases on the manufacturer’s website.
- Publishing contact information for reporting product vulnerabilities.
The devices covered would include:
- “internet-connectable products” which means a product that is capable of connecting to the internet
- “network-connectable products” which means a product that is (i) capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy; (ii) is not an internet-connectable products; and (iii) meet the first or second connectability condition.
The second category might include devices that only connect to another local device such as a fitness tracker or smart watch that only sends data to and from a mobile phone. These devices can sell for remarkably low retail prices. The costs involved in the improved support and security would be a significant proportion of the wholesale cost.
The major players in this market such as the popular smart speaker systems are likely to be already compliant. Amongst fitness trackers, smart watches, baby monitors, light bulbs and the like there is a much wider range of products available including many look-alikes and grey imports from the Far East. The law is primarily aimed at consumer products so an industrial system such as air conditioning might not be included. A device such as security camera would be included if sold for consumer and business purposes. In such a case a supplier solely to the business market would also need to comply with the law.
There is a risk of maximum fines of 4% of Worldwide turnover (plus £20k maximum daily fines) for organisations that make, import or distribute any applicable devices for UK consumers. Directors and company officers will be criminally liable if the offence was committed with their consent or connivance or is attributable to their neglect.
The rules would include UK based sellers using 3rd party services such as eBay or Amazon Marketplace. It is likely that these market hubs will be on top of the new law but unless they actively connive in illegal sales they will not be ultimately responsible for compliance. Direct sales from abroad to the end user would be less easy to legislate and could escape the law. The consumer will need to take note if they are buying from a UK seller or otherwise. This moniker can be abused on 3rd party marketplaces. Buyers would be well advised to report and claim a refund for imported smart devices that have not passed through a UK distributor as they may not be getting the security protection that this law will put in place.
Smaller businesses that are importing these devices might overcome some of its restrictions by publicising only limited very short term support and security plans (although this would affect sales). Handling simple default passwords could involve more work. Ideally the manufacturer should be required to set up appropriate routines before export. The work involved for the importer in locally flashing new passwords and updating the relevant literature might be excessive.
While the manufactures are in a position to change their software and support systems the re-seller will need to be very careful on the stock they are buying in now. This will allow time for any non-compliant stock to be moved on before the new law comes into force. Those buying in parts to integrate with larger systems will need to ensure that the software and support in place meets the new standards and continues to work as expected.