The Product Security and Telecommunications Infrastructure Bill (PSTI) will require manufacturers, importers and distributors of digital tech which connects to the internet, including fitness trackers, to meet tough new cyber security standards.
The Department for Digital, Culture, Media and Sport (DCMS) said the Bill will ban universal default passwords, force firms to be transparent to customers about what they are doing to fix security flaws in connectable products and create a better public reporting system for vulnerabilities found in those products.
Retailers will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass important information about security updates on to customers.
The Bill applies to ‘connectable’ products, which includes all devices that can access the internet, such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs. And voice-activated assistants and smart home appliances such as washing machines and fridges.
It also applies to products that can connect to multiple other devices but not directly to the internet. Examples include smart light bulbs, smart thermostats and wearable fitness trackers.
National Cyber Security Centre (NCSC) technical director Dr Ian Levy, said: “I am delighted by the introduction of this bill which will ensure the security of connected consumer devices and hold device manufacturers to account for upholding basic cyber security.
“The requirements this bill introduces, which were developed jointly by DCMS and the NCSC with industry consultation, mark the start of the journey to ensure that connected devices on the market meet a security standard that’s recognised as good practice.”
Currently, the makers of digital tech products must comply with rules to stop them causing people physical harm from issues such as overheating, sharp components or electric shock. But there is no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data.
Cyber criminals are increasingly targeting these products. A recent investigation by Which? found a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
And, in the first half of 2021, there were 1.5bn attempted compromises of Internet of Things (IoT) devices, double the 2020 figure. The UK’s National Cyber Security Centre last week revealed it had dealt with an unprecedented number of cyber incidents over the past year.
Rocio Concha, Which? director of policy and advocacy, said the new laws need to apply to online marketplaces where security-risk products are being sold at scale.
“Which? has worked with successive governments on how to crack down on a flood of poorly-designed and insecure products that leave consumers vulnerable to cyber-criminals, so it is positive that this Bill is being introduced to parliament.
“The government needs to ensure these new laws apply to online marketplaces, where Which? has frequently found security-risk products being sold at scale, to prevent people from buying smart devices that leave them exposed to scams and data breaches.”
