New UK law forces companies to strengthen smart device security

Starting on the 29th April 2024, companies selling smart devices will have to abide by a new set of cyber security restrictions.

new-uk-law-forces-companies-to-strengthen-smart-device-securityThe proliferation of smart devices, from speakers to washing machines, has revolutionised how we interact with technology. I mean, could you really live without your Alexa? However, this convenience comes with risks. Many of these devices, if not adequately secured, can serve as gateways for cybercriminals to infiltrate the networks these devices are connected to. Default passwords, lack of security updates, and inadequate means to report vulnerabilities have made these devices susceptible to exploitation.

IoT and smart devices are uniquely vulnerable due to their connection to the wider internet and their inherent integration with everyday life, the worst being smart cameras. Using a 'device search engine' like Shodan.io or zoomeye.hk you can go online and look through unsecured or weakly secured cameras that are sometimes in very compromising locations. This was just one example, but the gist is, you don't want an attacker having access to smart devices connected to your network.

Despite this, for a long time, companies have provided inadequate security for the devices they release. We have seen "admin admin" usernames and passwords all the way to massive security vulnerabilities that didn't get caught due to the lack of a process for users to report vulnerabilities (*cough* Ring *cough*).

As a consumer, the new law offers several key protections:

1.     Elimination of Default Passwords: Manufacturers are prohibited from supplying devices with default passwords, which are easily discoverable and exploitable by cybercriminals.

2.     Security Reporting Mechanism: Manufacturers must provide a point of contact for reporting security issues. This ensures that vulnerabilities can be addressed promptly, reducing the risk of exploitation.

3.     Minimum Update Support: Manufacturers are obligated to disclose the minimum duration for which a device will receive security updates. This transparency empowers consumers to make informed decisions about the longevity and security of their devices.

While the new legislation sets a baseline for device security, proactive measures are essential to safeguarding your smart devices:

1.     Check Default Settings: During setup, change any default passwords to unique, secure ones. Enable features like two factor authentication (2FA) to add an extra layer of security.

2.     Install Updates Promptly: Regularly update your devices and apps to patch vulnerabilities and ensure optimal functionality. Enable automatic updates whenever possible to streamline the process.

A small concern I will raise will be this could lead to phishing attempts by malicious actors stating something along the lines of "Due to new legislations in the United Kingdom, you need to change your devices password" linking to an online infostealer. Admittedly, this is a stretch, however, it's not outside the realm of possibility.

Overall I think this new legislation is a positive step in the right direction and will help secure this group of vulnerable devices. By holding manufacturers accountable for basic security standards, consumers can have greater confidence in the devices they bring into their homes.