New security laws for smart devices: what it means for you

Update 29 April 2024: The UK's new product security regulations have come into force today, placing world-first obligations on manufacturers of smart devices to make them more secure. 

Companies producing smartphones, televisions, appliances and other internet-connected gadgets will have to comply with the Product Security and Telecommunications Infrastructure Act from 29 April 2024. 

The requirements include: 

• A ban on the use of 'universal default and easily guessable default passwords' on consumer connectable products.
• All manufacturers of smart products will need a published contact to report vulnerabilities found in their devices.
• Manufacturers must publish information on the defined minimum guaranteed period (with an end date) in which they will provide security updates to their products.

Consumers will be able to access the software updates information to see how long their product will be supported, and so remain in good working order and protected against new hacking threats. However it will only be required on the manufacturer website, not wherever you purchase your product, as we have called for. 

The Government said also that it is 'engaging' with online marketplaces about the new requirements to see 'how they can work to complement these changes and further protect consumers'.

Rocio Concha, Which? Director of Policy and Advocacy, said: 'Which? has been instrumental in pushing for these new laws which will give consumers using smart products vital protections against cyber criminals looking to launch hacking attacks and steal their personal information.

'The OPSS must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one, and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.'

Original story from 7 December 2022:

A new law that requires smart products including televisions, washing machines and smartphones to be made more secure has been announced. 

The Product Security and Telecommunications Infrastructure (PSTI) Act aims to address the lack of quality control over security standards, and arrives following years of research by Which? demonstrating the importance of better security in a world where more of the devices we use are ‘connected’. 

After a year-long implementation period, smart device manufacturers, distributors and retailers will have to, amongst other things, clearly inform you at point of sale how long they will support devices – an effective tech ‘best before’ date. 

Our smart device reviews clearly flag any security issues with products, so you can buy with confidence.

Taming the ‘wild west’ of smart products

You might think that, similarly to electrical safety, if a smart product is on sale in major retailers, it has met a basic threshold of security. However, that is not the case. 

Until now, there was absolutely no legal requirement for a product to be secure, and our research has shown a ‘wild west’ of standards in the market, including products wide open to being hacked yet at use in thousands of UK homes. 

PSTI will introduce a set of minimum standards to which manufacturers, importers and distributors of a wide range of smart products will have to adhere. Once the 12 month grace period is complete (the start date for this has not yet been confirmed), brands will have to ensure the smart products you buy are compliant with the law. 

The key requirements include:

1. Clearly flagging support periods

Security is an evolving picture, with new threats emerging all the time that companies must commit to fixing. The new law will force manufacturers to come clean on how long they will support your product with updates. This effectively tells you how long that product will remain in good working order, so you can choose the best value smart device for your home. 

Currently, a lack of consistency over update policies is a significant issue – some smart device brands have told us they’ll only commit to support for around 2 years, whereas others offer more than 10.  

When a product stops being updated, it’s more vulnerable to emerging cyberthreats, could lose important features or functionality, or even no longer function, as seen recently when Hive announced it is discontinuing a range of smart devices. 

However, transparency is also a problem, with many brands happy to say nothing at all about how long they will support the products they are selling you. 

What does it mean for me? Brands will be required to show support lengths, so you can pick the company with the best support length, and go into a purchase with your eyes open. 

We’ve been canvassing tech brands to understand their support policies. Read our guide to security and smart devices to see how long popular tech brands support products.

2. A ban on default passwords

Time and again we have seen smart products that are trivially easy to hack because they have a weak default password, such as admin, 123456 or 888888. Hackers continually crawl the internet for these devices and then just guess the password. The weaker it is, the easier the device is to hack.  

Every insecure smart device in the home is a potential weak link in a chain – even an innocent looking smart kettle could allow a hacker to access your entire home network if its security is breached. The law will ban weak default passwords that aren’t changed by the user. 

What does it mean for me? Brands will need to ensure that customers won’t risk buying a device with a weak password that can be easily guessed by a hacker, and compromised. This could help to safeguard your personal data and ensure smart devices in your home are far less likely to put you at risk. 

In 2019 we reported on the cheap security cameras with weak passwords inviting hackers into your home.

3. Better reporting of security issues

Alongside committing to transparency on software updates, manufacturers will also require a published vulnerability disclosure policy. 

This enables security researchers, organisations like Which? and individuals to report security problems with smart products, and then the manufacturer has to assess whether the issue can be fixed, or another action taken. 

Similar to customer service or repairs, this is all part of brands taking responsibility to maintain the products they sell you. 

What does it mean for me? If a smart device develops a security issue, the company that made it has to take that seriously, investigate the issue and hopefully initiate a fix that increases security. It’ll make it far easier for companies like Which? to quickly help resolve issues with devices that could put consumers at risk.  

Which? has previously reported security issues with smart products, including cameras and smart alarms, that the brands went on to fix.

Which? leading the charge on better security for consumers

Which? has been calling for better security standards in smart products for nearly a decade. 

We have repeatedly demonstrated a shocking lack of even basic security standards in smart products, putting users at risk of hacking, scams and other threats. Likewise, manufacturers often fail to inform customers of how long they will support smart products with important updates. 

In 2018 we become involved in the work by the UK government to put together first a Code of Practice for smart product security, and then later the PSTI legislation. 

We broadly support the new law, and believe it to be a significant step in the right direction for both acknowledging the threats around insecure devices, and raising standards. With this first step in place, we will continue to push the government and smart products industry to ensure that smart products are made secure by design. 

Rocio Concha, Which? Director of Policy and Advocacy, said: ‘Which? has worked with successive governments to tackle poorly-designed and insecure smart products that leave consumers vulnerable to cybercriminals and are too quickly abandoned after launch, so it is positive to see vital new product security laws introduced. 

‘This legislation must now be backed by strong enforcement, including against online marketplaces that are flooded with insecure products, to prevent consumers purchasing internet-connected devices that threaten their security and may leave them needing to replace otherwise usable products. 

‘The government needs to ensure manufacturers and sellers are clear about exactly how long products will receive security updates for and should go further by specifying minimum periods for smart device support.’

Tech tips you can trust – get our free Tech newsletter for advice, news, deals and stuff the manuals don’t tell you.