UK plans new law aimed at improving Internet of Things security

The U.K. government is proposing new legislation aimed at improving security of Internet of Things devices.

Digital minister Margot James MP revealed the draft law on Wednesday as part of the government’s efforts to protect from cyberattacks millions of internet-connected devices.

The law will mandate that internet-connected devices, like smart thermostats, appliances and webcams, must be sold with a unique password.

Botnets typically rely on default passwords that are hardcoded into devices when they’re built that aren’t later changed by the user. By selling a device with a unique password, it significantly slows down cybercriminals from scanning the internet and automatically logging into devices with a default password, often to launch distributed denial-of-service attacks.

On a massive scale, botnets operating thousands of hijacked Internet of Things devices took entire websites offline. Two years ago, the Mirai botnet briefly downed Dyn, a networking company that provides domain name service to major sites. That outage knocked dozens of major sites offline — like Twitter, Spotify and SoundCloud.

The new U.K. law will also mandate device makers to provide a public point of contact to allow hackers and security researchers to submit flaws and vulnerabilities.

And device makers will have to tell consumers for how long each device will receive security updates.

The law, if passed, would create a labeling scheme for consumers to easily see devices that are “Secure by Design,” said James, giving consumers greater confidence that the devices land with a baseline level of security out of the box.

“Many consumer products that are connected to the internet are often found to be insecure, putting consumers’ privacy and security at risk,” said James. “Our code of practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.”

The U.K. is following in the footsteps of California, which in October passed a law banning default passwords in connected devices. The law will come into effect in 2020. Each device sold in the state must come with a password “unique to each device.”

Ken Munro, founder of security firm Pen Test Partners, said in a blog post that the proposed law was a “great start,” but the new rules were a “fairly light touch.”

His company finds security flaws in internet-connected devices like car alarms and other consumer goods.

“We hope that the government will also commit to a program of continual improvement of smart product security,” he said.