UK Smart Device Security Law

The UK Product Security and Telecommunications Infrastructure (Product Security) regime will come into force on 29th April 2024.  This aims to improve security software and default settings on Internet connected devices to protect their user’s from hackers.

New regulations will include:

  • Banning universal default and easily guessable default passwords.
  • Providing transparent information on how long products will receive security updates for.
  • Making customers aware of a product’s security update support period before allowing purchases on the manufacturer’s website.
  • Publishing contact information for reporting product vulnerabilities.

The devices covered would include:

  • “internet-connectable products” which means a product that is capable of connecting to the internet
  • “network-connectable products” which means a product that is (i) capable of both sending and receiving data by means of a transmission involving electrical or electromagnetic energy; (ii) is not an internet-connectable products; and (iii) meet the first or second connectability condition.

The second category might include devices that only connect to another local device such as a fitness tracker or smart watch that only sends data to and from a mobile phone.  These devices can sell for remarkably low retail prices.  The costs involved in the improved support and security would be a significant proportion of the wholesale cost.

The major players in this market such as the popular smart speaker systems are likely to be already compliant.  Amongst fitness trackers, smart watches, baby monitors, light bulbs and the like there is a much wider range of products available including many look-alikes and grey imports from the Far East.  The law is primarily aimed at consumer products so an industrial system such as air conditioning might not be included.  A device such as security camera would be included if sold for consumer and business purposes.  In such a case a supplier solely to the business market would also need to comply with the law.

There is a risk of maximum fines of 4% of Worldwide turnover (plus £20k maximum daily fines) for organisations that make, import or distribute any applicable devices for UK consumers.  Directors and company officers will be criminally liable if the offence was committed with their consent or connivance or is attributable to their neglect.

The rules would include UK based sellers using 3rd party services such as eBay or Amazon Marketplace.  It is likely that these market hubs will be on top of the new law but unless they actively connive in illegal sales they will not be ultimately responsible for compliance. Direct sales from abroad to the end user would be less easy to legislate and could escape the law.  The consumer will need to take note if they are buying from a UK seller or otherwise.  This moniker can be abused on 3rd party marketplaces.  Buyers would be well advised to report and claim a refund for imported smart devices that have not passed through a UK distributor as they may not be getting the security protection that this law will put in place.

Smaller businesses that are importing these devices might overcome some of its restrictions by publicising only limited very short term support and security plans (although this would affect sales).  Handling simple default passwords could involve more work.  Ideally the manufacturer should be required to set up appropriate routines before export.  The work involved for the importer in locally flashing new passwords and updating the relevant literature might be excessive.

While the manufactures are in a position to change their software and support systems the re-seller will need to be very careful on the stock they are buying in now.  This will allow time for any non-compliant stock to be moved on before the new law comes into force.  Those buying in parts to integrate with larger systems will need to ensure that the software and support in place meets the new standards and continues to work as expected.

More from Security

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories