Smartphones will be included in the scope of a planned “protection by design” U.S. law, aimed at further enhancing the protection of consumer devices, the government said today. It made the announcement in response to legal planning advice aimed at tackling some of the most relaxed security practices long-associated with Internet of Things (IoT).
The government introduced a security code practice for IoT device manufacturers back in 2018 – but the upcoming law aims to build on that with a set of legally mandatory requirements. In 2019, ministers unveiled a draft law – focusing on IoT devices such as government webcams and child monitors, who were often, involved in the most serious device protection practices.
The plan now is that virtually all smart devices should covered by legally binding security requirements, the government consumer group “Which?” It found that one-third of people kept their last phone for four years, while some brands only gave security updates for more than two years. The upcoming law would require smartphone and device makers like Apple and Samsung to notify customers for a period of time for which any device will receive a software update at the time of sale.
This will prohibit manufacturers from using public default passwords (such as “password” or “admin”), which are often preset in a device’s factory settings and are easily conceivable – making security terms meaningless. California has already passed a law banning national passwords in 2018, with the law taking effect last year.
Under incoming U.S. law, a public contact will be required to make it easier for anyone other than manufacturers to report vulnerabilities. The government has said it will introduce the law as soon as Parliament gives time. Commenting in a statement, Digital Infrastructure Minister Matt Warman added, “Our phones and smart devices may be gold mines for hackers looking to steal data, yet a large number of holes in their security systems still run out of old software.”
“We’re changing the law to make sure consumers know that their essential security updates before they buy products can be broken and how long devices can easily break predictable default passwords. “These reforms, supported by technology companies around the world, will intensify the efforts of online criminals and increase our goal of bringing them back safely from the epidemic.”
A representative for DCMS confirmed that laptops, PCs and tablets without cellular connections would not covered by the law, or secondhand products. Although he added that the purpose intended to be adapted, the law ensures that it can keep pace with new threats arising near devices.