UK declares new smart gadget laws to tackle cyber crime

According to the new laws, manufacturers of internet enabled gadgets such as smartphones, games consoles and connected fridges will be banned from coming with weak and easily guessable default passwords like ‘admin’ or ‘12345’, and if there is a common password, the user must be prompted to change it on start-up.

The new measures will also mean manufacturers will have to publish contact details so bugs and issues can be reported and dealt with, and alongside retailers they will have to be ‘open with consumers’ on the minimum time they can expect to receive security updates for their devices.  

This is all in the service of preventing threats like the Mirai attack in 2016 which saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, says the announcement, noting that similar attacks have occurred on UK banks such as Lloyds and RBS.

The laws form part of the Product Security and Telecommunications Infrastructure (PSTI) Act 2022, which is pitched as a move to improve the UK’s resilience from cyber-attacks and ‘ensure malign interference does not impact the wider UK and global economy.’    

The government says recent figures show that 99% of UK adults own at least one smart device and UK households own an average of nine. It also cites an investigation conducted by Which? that showed that a home ‘filled with smart devices’ could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.  

‘Certain automotive vehicles’ seem to be exempt from this, as they will be covered by alternative legislation.  

“As every-day life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater,” said Minister for Cyber, Viscount Camrose. “From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe. We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world. 

Data and Digital Infrastructure Minister, Julia Lopez added: “Today marks a new era where consumers can have greater confidence that their smart devices, such as phones and broadband routers, are shielded from cyber threats, and the integrity of personal privacy, data and finances better protected. Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.”

These new rules will help give customers confidence in buying and using new smart products, says the release, which will in turn apparently help grow businesses and the economy. Indeed, it pitches all this as ‘delivering on one of the government’s five priorities to grow the economy.’

Which economy would benefit from such a ground-swell in consumer confidence in IoT gadgetry is up for debate though. Obviously the major technology manufacturers that produce the ever increasing selection of connected consumer goods are not based in the UK or even Europe, and neither are etailers like Amazon where so much of these things are bought.

So the route to growing the UK economy by enforcing more stringent password rules doesn’t seem crystal clear, even if it were to have the desired effect of hampering some cyber crime – which is a sensible enough thing for DSIT to pursue. But that’s government statements on technology for you, in which it now seems almost mandatory to dress up every legislative pen-stroke as some sort of checkmate move to unlock vast untapped riches hitherto out of reach for UK businesses.