DCMS wants to outlaw universal default passwords in consumer smart products

July 15, 2020

The Department for Culture, Media & Sport has published a call for evidence which describes the UK government’s proposed approach for improving the cyber security of consumer smart products sold in the UK through legislation. It sets out the scope of the proposed legislation, the proposed cyber security requirements that would be mandated for consumer smart products (the security requirements), how these requirements may translate into obligations on the producers and distributors of these products, and proposals for the enforcement of these requirements.

The DCMS says that the desired outcome of these proposals is that no product within scope should be supplied or made available to consumers on the UK market, if it does not comply with three security requirements.

According to the DCMS, this would establish a cyber security baseline for smart products that would be applied UK-wide. The government’s intention is to design future-proofed legislation that will remain relevant amidst the rapid pace of technological change and innovation across the consumer smart product sector. The government will therefore seek to design this legislative framework so that it could be rapidly updated as necessary by the evolution of the consumer smart product landscape.

Scope of regulation

The approach that the government suggests is to include a broad definition of connected products within the scope of the regulation and specify product categories that are out of scope as necessary. The proposals include products that are primarily used by or are available to consumers, but are also used in a business environment. This includes, but is not limited to, multi-functional printers, smart TVs and connected security cameras. The government proposes to exclude certain products such as  industrial smart products, and those regulated elsewhere. Examples of excluded products are smart meters, medical devices and autonomous vehicles.

The scope would be defined as follows:

“a product in scope for this regulation is any ‘network-connectable’ ‘product’ that is supplied or made available; for the use or enjoyment of a natural person; or for the sale to a natural person for use; who is acting for purposes that are outside his/her trade, business, craft or profession in or around a permanent or temporary household or residence, in recreation or as an electronic wearable, except products that are designated as out of scope.”

Security requirements

The security requirements have been derived from and align with key provisions within European Telecommunications Standards Institute (ETSI) European Standard (EN) 303 645 v2.1.1. Various design principles have informed the security requirements, including impact, applicability, future-proofing, minimise burden, alignment with industry standards and testability.

The three key requirements will be:

  • Ban universal default passwords in consumer smart products;
  • Implement a means to manage reports of vulnerabilities; and
  • Provide transparency on for how long, at a minimum, the product will receive security updates.

The IoT Security Foundation is developing guidance based on these security requirements as well as on relevant guidelines of the Code of Practice for Consumer Internet of Things Security and relevant provisions of the ETSI EN 303 645 which is expected to be published later in 2020.

The government’s intention is to broadly align with the existing legislation and definitions for regulating product safety in the UK, as set out in the General Product Safety Regulations 2005 SI 2005/1803. It is intended that this legislation will prohibit Producers as defined (which includes manufacturers and importers) from supplying or making a product in scope, available on the market unless the product meets the security requirements. It will also place a requirement of duty of care on Distributors as defined (which covers retailers and also includes online marketplaces) of products in scope to only ‘supply’ or ‘make available’ products that meet the security requirements.

Enforcement

The proposed enforcement approach is to designate a regulator to take action against Producers or Distributors who supply or make available products within scope that do not comply with the security requirements to deter bad practice and reduce the threat posed to consumer security, and potentially to their privacy and safety. The government proposes that the designated enforcement body would seek to implement penalties for non-compliance initially using civil enforcement techniques. Continued non-compliance may lead to criminal action in line with the scale of the offence and subject to sanctions being breached. The designated enforcement body would not seek to push for prosecution in the first instance, but rather take a scalable approach via voluntary action, before utilising sanctions to deter non-compliance of the legislation.

The call for evidence closes on 6 September 2020.