The British government are showing how seriously they are taking smart home security by introducing laws to protect consumers from poor smart products.
With many generic manufacturers using apps which are vulnerable to hacking or scanning and Black Friday deals which see some less scrupulous retailers attempt to sell off old tech which has a very limited period of ongoing software support, (as well as offering “deals” on goods which have been the same price for weeks prior to the sales) the government is putting responsibility for basic security protocols onto shops and makers by ensuring that insecure devices are not put up for sale.
Manufacturers, importers and retailers will face fines of up to £10m if they fail to comply with the requirements. While that seems like a huge fine for what is to many simply a software issue, it demonstrates how seriously security for consumers is being taken. It also reflects the size of the market in smart home devices, as only a fine this size can act as a deterrent for businesses who continue to make or sell substandard home automation.
The fine is being introduced as part of the Product Security and Telecommunications bill. Each household in the UK currently has an average of 9 smart automation electronic products, naturally that number is significantly higher for people who are actively engaged in the IoT revolution. While they’re more likely to understand the dangers of poor security it’s been found by government research that only one in five manufacturers apply even basic security requirements for their connected devices. And because consumers expect their devices to be secure straight out of the box, fewer than 20% of them take any action to implement better security on their own account, or even know how to.
Introducing New Standards To Protect Your Privacy As Well As Your Safety
The problems low standards of security introduce are significant. People can spy on you via your cameras, harass you through any device which has an integrated speaker. They can record conversations you have, or they can allow access to your home’s internet network. Once in they can access devices which protect your physical security, turning surveillance cameras off, or unlocking smart locks. While the Sale of Goods Act prevents dangerous goods from reaching the market, that only covers physical harm. Until this law is passed there are no other legislations regarding unsecure products to protect you from privacy or security dangers. When it comes in the Product Security and Telecommunications bill encompass three core directives which will improve the standard of security you get when you buy connected devices.
Those standards include information on software support. The longer a product line is available the longer hackers and scanners have to break into it and reveal its vulnerabilities. Software updates are important to keep ahead of anyone who tries to get into your smart home network. Now, when you’re making your purchase the retailer will have to inform you how long you can expect to keep getting updates.
The next standard is vulnerability reporting. When a vulnerability is discovered as part of third party testing, product reviews, or any other benign use, there should be a clear and active contact where the issues can be reported. As well as reporting, the informant should be able to expect the company to react quickly and positively to problems that they have identified.
Finally there will be much tighter security surrounding default passwords. Instead of shipping with ‘admin’ or a uniform sequence of number or letters, each individual item will have its own unique password which it will not be possible to default to a standard factory setting. This is intended to stop scanners from sweeping your home network and using the default passwords that the manufacturer uses until they strike it lucky.
The government has stated that the standards, and fines for not complying with the bill, will apply to:
- Smart Home Assistants
- Smart appliances such as cookers, fridges and washing machines
- Smart alarm, CCTV and monitoring devices
- Wearable and other fitness trackers, including smart watches, Fitbits, or GPS enabled sports monitors
- Smart Home hubs and control panels which operate multiple connected devices
- Smart smoke, fire, and carbon monoxide detectors
- Toys and baby monitors
- TVs and Smart Speakers
MP Julia Lopez, a minister for Media Data and Digital Infrastructure said: “Every day, hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft. Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”
One Year To Get Their House In Order
Following its introduction, the bill will allow 12 months for the security improvements to permeate throughout the market, the importers, distributers to adjust their practices, and retailers to stop selling stock which doesn’t meet the new standards. After that the framework will come fully into force and those businesses who don’t comply will face those £10m fines, or fines up 4% of the company’s global revenue.
Once a new regulator is convened they will be able to ensure that the regulations are implemented, and will have the power to impose those fines wherever a retailer, distributor or manufacturer fails to meet the standards.
Importantly, the bill doesn’t just cover devices which connect directly to the internet, but those which use another smart device as a bridge, for example a Fitbit which connects via a phone, or a lightbulb which connects via a smart home hub or phone app.
Devices which aren’t covered are home computers and laptops, connected cars, smart meters, EV charging points and medical equipment. The reason for this being that there are already many antivirus and anti-malware protections available and they are already covered by other consumer protections. The standards also don’t cover second hand IoT products, but there is scope within the bill to bring them under its purview at a later date.
Briant Communications only supply and install top-of-the-line smart home automation products from well known branded manufacturers. If you want to enter the Smart Home market but you’re unsure what to do, or your security is a concern, why not get in touch? we offer a free, no obligation estimate based on your specific needs. Email us on email@example.com or call on 01273 465377