New ‘Secure By Design’ UK Legislation Looks to Better Regulate IoT Devices

The UK government is working on a new piece of legislation that would ensure that vendors of smart devices, including IoT, correctly inform the customers about the lengths of security updates support.

Depending on the vendor, the support for security updates can be a roll of the dice. Some manufacturers tell their customers upfront how long they will support the products they sell, but others are not that transparent. This uncertain situation has to stop, and regulating the industry is one of the solutions.

Following several significant studies, including one from the consumer group Which?, that showed who consumers tend to keep their devices long after they reach end of life and vendors no longer issue security updates, the UK government is looking to address the problem. After the initial proposal was made public, the government now included smartphones in the same category as IoT devices.

“Smartphones are the latest product to be put in scope of the planned Secure By Design legislation, following a call for views on smart device cyber security the government has responded to today,” reads the official announcement.

The rules underlined in the new legislation are straightforward. First of all, customers must be informed at the point of sale of the duration of time for which a smart device will receive security software updates. The fact that’s the first rule is not happenstance.

Secondly, manufacturers selling devices with universal default passwords could be banned from operating in the UK market. Lastly, manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.

Many of the larger companies won’t have a problem addressing these new rules because they already follow them, to some degree. But some of the smaller manufacturers will have to change their policies if they want to sell their products on the UK market.