Under the proposals, Apple, Samsung, Google and other manufacturers of smart devices, including phones, speakers, and doorbells, will need to tell customers upfront how long a product will be guaranteed to receive vital security updates.

According to government figures, almost half (49%) of UK residents have purchased at least one smart device since the start of the coronavirus pandemic. But just one vulnerable device can put a user’s network at risk. In extreme cases hostile groups have taken advantage of poor security features to access people’s webcams.

To counter this threat, the government is planning a new law to make sure virtually all smart devices meet new requirements.

Under the plans, customers must be informed at the point of sale the duration of time for which a smart device will receive security software updates. There will also be a ban on manufacturers using universal default passwords, such as ‘password’ or ‘admin’, that are often pre-set in a device’s factory settings and are easily guessable.

Manufacturers will also be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.

Research by Which? found a third of people kept their last mobile phone for four years, but some brands only offer security updates for a little over two years.

Digital infrastructure minister Matt Warman said: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems.

“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.

“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”

Security update support

Security updates are a crucial tool for protecting people against cyber criminals trying to hack devices. But research University College London found that none of the 270 smart products it assessed displayed information setting out the length of time the device would receive security updates at the point of sale or in the accompanying product paperwork.

The government says that by forcing tech firms to be upfront about when devices will no longer be supported, the law will help prevent users from unwittingly leaving themselves open to cyber threats by using an older device whose security could be outdated.

Brad Ree, CTO of the Internet of Secure Things (IoXT) Alliance, said: “We applaud the UK government for taking this critical step to demand more from IoT device manufacturers and to better protect the consumers and businesses that use them.

“Requiring unique passwords, operating a vulnerability disclosure program, and informing consumers on the length of time products will be supported is a minimum that any manufacturer should provide. These are all included in the IoXt compliance programme and have been well received by manufacturers around the world.”