News
Kaspersky Comment: New UK laws for smart devices and cybersecurity
April 2021 by David Emm, Principal Researcher at Kaspersky’s Global Research and Analysis Team (GReAT)
As of today, the Government has announced new laws that will significantly increase the inbuilt cybersecurity standards of smart devices. Most notably, the new legislation entails that:
• Apple, Samsung, Google and other manufacturers will say when smartphones, smart speakers and other devices will stop getting security updates
• Easy-to-guess default passwords to be banned on virtually all devices under the new law
• Rules will make it easier for people to report software bugs that can be exploited by hackers
• Makers of smart devices including phones, speakers, and doorbells will need to tell customers up front how long a product will be guaranteed to receive vital security update.
The from David Emm, Principal Researcher at Kaspersky’s Global Research and Analysis Team (GReAT). He argues that the legislation is long overdue, especially after the surge in the use of personal devices for business during the pandemic.
“The UK Government has long recognised the importance of securing smart devices, and in 2018 it introduced its code of practice for IoT security, setting out security standards for developers of such devices. The problem with voluntary standards, however, is that there’s no obligation for vendors to follow them, and it’s clear that many smart devices are developed without security in mind. We’ve all come to expect that everyday objects – from children’s toys to furniture – will ship with certification marks indicating that they are physically safe, but developers of smart devices do little to secure digital equipment. The new legislation will force vendors to take steps to make smart devices more secure. They will be required to state up-front how long they will provide updates for the device, avoid using default passwords and provide a public point of contact for anyone to report vulnerabilities in the device.
Nevertheless, it remains unclear why the legislation doesn’t include all 13 guidelines from the original code of practice. Moreover, it would be even more helpful for consumers if smart devices were to display a clearly visible mark, like the British Standards Institute kitemark. This would provide an easy way for consumers to tell if something is safe, putting manufacturers who don’t comply at a disadvantage.”
