The United Kingdom is now enforcing a new consumer connectable product security law, starting from April 29, 2024. This new law requires manufacturers of ‘smart’ products in the UK adhere to specified minimum security requirements to ensure the safety of these devices.
Now, these laws are only for the UK, not for the rest of the world. However, having the UK require these changes means that there’s a higher chance for the rest of the world to benefit from them since the manufacturers are already adding support in.
This new law applies to any product that can connect to the internet or network, except for those that are specifically excluded. The law’s requirements are aimed at resolving security problems or removing potential vulnerabilities.
The new law’s requirements include the following:
1. Passwords for these products must either be unique to each device or be user-defined. Additional stipulations regarding passwords which are unique per product are detailed, prohibiting them from being based on incremental counters, publicly available information, derived from unique product identifiers like serial numbers (unless encrypted or hashed in accordance with good industry practice), or otherwise easily guessable.
2. Manufacturers must provide clear and free information on how to report security issues with their products, including the expected time frames for acknowledgment and status updates until resolution. This information must be provided without prior request, in English, and in an accessible, clear, and transparent manner.
3. Information regarding the minimum period for which security updates will be provided must also be published and made available to consumers. This must include the minimum duration and an end date for the updates, and like other information, it should be accessible in English, free of charge, and understandable without technical expertise.
In general, this is a good step forward for security of any internet connected device. Too many devices these days come with a hard coded password that a user can’t change or insecure default password that is the same across all models. Having a clear way to report security issues along with acknowledgement that the issue was received and status updates will help prevent issues from going into a black hole. And having required information about how long security updates will be provided makes sure you won’t be buying a device towards it’s end of security update life.
For additional information regarding the new consumer connectable product security regime, check out GOV.UK