Companies producing smartphones, televisions, appliances and other internet-connected gadgets will have to comply with the Product Security and Telecommunications Infrastructure Act from 29 April 2024.
The requirements include:
Consumers will be able to access the software updates information to see how long their product will be supported, and so remain in good working order and protected against new hacking threats. However it will only be required on the manufacturer website, not wherever you purchase your product, as we have called for.
The Government said also that it is 'engaging' with online marketplaces about the new requirements to see 'how they can work to complement these changes and further protect consumers'.
Rocio Concha, Which? Director of Policy and Advocacy, said:7 December 2022A new law that requires smart products including televisions, washing machines and smartphones to be made more secure has been announced.The Product Security and Telecommunications Infrastructure (PSTI) Act aims to address the lack of quality control over security standards, and arrives following years of research by Which? demonstrating the importance of better security in a world where more of the devices we use are ‘connected’.
After a year-long implementation period, smart device manufacturers, distributors and retailers will have to, amongst other things, clearly inform you at point of sale how long they will support devices – an effective tech ‘best before’ date.
Taming the ‘wild west’ of smart products
You might think that, similarly to electrical safety, if a smart product is on sale in major retailers, it has met a basic threshold of security. However, that is not the case.
Until now, there was absolutely no legal requirement for a product to be secure, and our research has shown a ‘wild west’ of standards in the market, including products wide open to being hacked yet at use in thousands of UK homes.
PSTI will introduce a set of minimum standards to which manufacturers, importers and distributors of a wide range of smart products will have to adhere. Once the 12 month grace period is complete (the start date for this has not yet been confirmed), brands will have to ensure the smart products you buy are compliant with the law.
The key requirements include:
1. Clearly flagging support periods
Security is an evolving picture, with new threats emerging all the time that companies must commit to fixing. The new law will force manufacturers to come clean on how long they will support your product with updates. This effectively tells you how long that product will remain in good working order, so you can choose the best value smart device for your home.
Currently, a lack of consistency over update policies is a significant issue – some smart device brands have told us they’ll only commit to support for around 2 years, whereas others offer more than 10.
However, transparency is also a problem, with many brands happy to say nothing at all about how long they will support the products they are selling you.
What does it mean for me?2. A ban on default passwords
Time and again we have seen smart products that are trivially easy to hack because they have a weak default password, such as admin, 123456 or 888888. Hackers continually crawl the internet for these devices and then just guess the password. The weaker it is, the easier the device is to hack.
Every insecure smart device in the home is a potential weak link in a chain – even an innocent looking smart kettle could allow a hacker to access your entire home network if its security is breached. The law will ban weak default passwords that aren’t changed by the user.
What does it mean for me?3. Better reporting of security issues
Alongside committing to transparency on software updates, manufacturers will also require a published vulnerability disclosure policy.
This enables security researchers, organisations like Which? and individuals to report security problems with smart products, and then the manufacturer has to assess whether the issue can be fixed, or another action taken.
Similar to customer service or repairs, this is all part of brands taking responsibility to maintain the products they sell you.
What does it mean for me?ds went on to fix.
Which? leading the charge on better security for consumers
Which? has been calling for better security standards in smart products for nearly a decade.
We have repeatedly demonstrated a shocking lack of even basic security standards in smart products, putting users at risk of hacking, scams and other threats. Likewise, manufacturers often fail to inform customers of how long they will support smart products with important updates.
In 2018 we become involved in the work by the UK government to put together first a Code of Practice for smart product security, and then later the PSTI legislation.
We broadly support the new law, and believe it to be a significant step in the right direction for both acknowledging the threats around insecure devices, and raising standards. With this first step in place, we will continue to push the government and smart products industry to ensure that smart products are made secure by design.
Rocio Concha, Which? Director of Policy and Advocacy, said:‘This legislation must now be backed by strong enforcement, including against online marketplaces that are flooded with insecure products, to prevent consumers purchasing internet-connected devices that threaten their security and may leave them needing to replace otherwise usable products.
‘The government needs to ensure manufacturers and sellers are clear about exactly how long products will receive security updates for and should go further by specifying minimum periods for smart device support.’
Tech tips you can trust –source https://www.which.co.uk/news/article/new-security-laws-for-smart-devices-aGJO50M7C3jo