A significant victory for the increasing numbers of people that buy Internet of Things (IoT) devices has been struck with the introduction of a new bill in the UK. The Product Security and Telecommunications Infrastructure (PSTI) Bill will force firms into being transparent with customers about what they are doing to fix security flaws, create a better public reporting system for vulnerabilities, and ban universal default passwords.

Its an important move given that IoT devices, from smart TVs and internet-connected light bulbs to smart speakers and IoT washing machines, are so common now its hard to find something that isn’t connected.

Big fines for the flouters

Any organisation which fails to abide by the rules once the new bill comes into force could find itself fined up to £10 million or 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention. These are similar to the fines set for firms who flout GDPR rules which requires companies to inform, within 72 hours, the Information Commissioner if they suffer a cyber breach and customer data is exposed.

Deadly serious

The level of fines indicates how serious the government is about stopping IoT devices flooding onto the market which are unprotected. Further, a newly-created regulator can demand that companies that fail to comply with security requirements to recall products, must stop selling or supplying them altogether.

Connected IoT devices that come under the umbrella of the bill include:
  • Smartphones
  • Cameras, TVs and speakers
  • Children’s toys and baby monitors
  • Smoke detectors and door locks
  • Internet of Things base stations and hubs to which multiple devices connect
  • Wearable connected fitness trackers
  • Outdoor leisure products, such as handheld connected GPS devices
  • Connected home automation and alarm systems
  • Connected appliances, such as washing machines and fridges
  • Smart home assistants
Daily hacks

Every day hackers attempt to break into people's smart devices whether for mischief or with malicious intent. The problem is that if a product is for sale in a shop or from a reputable online retailer there’s an assumption that it is safe. Most IoT devices are most certainly not safe or secure.

The use of default passwords, hands hackers the keys to a cyber treasure chest with which they can, for instance, hack thousands and thousands of devices and rope them into a botnet, listen into people’s conversations, remotely alter heating systems, open locks and switch cameras off and a lot more.

Any difference?

The question is will the bill make any significant difference? It will hopefully, stem the tidal wave of manufacturers from flooding the market with devices that are not fully protected. That said, some will inevitably get through. However, the deeper significance of the bill is that the government is taking consumer cyber security seriously. As such it’s a landmark event.