Its opening a consultation on a new mandatory labelling scheme that would include Smart TVs, toys, and other connected appliances.
Retailers will only be able to sell items with an Internet of Things (IoT) security label.
“Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk. Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought,” said Digital Minister Margot James
Yesterday, James discussed IoT security with global technology companies including Amazon, Philips, Panasonic, Samsung, Miele, Yale and Legrand, who agreed to take steps to ensure that effective security solutions are being implemented across IoT products on the market.
Under the proposals IoT device passwords must be unique and not resettable to any universal factory setting. Manufacturers would be required to provide a public point of contact as part of a vulnerability disclosure policy and state the minimum length of time for which the device will receive security updates through an end of life policy.
“Serious security problems in consumer IoT devices, such as pre-set unchangeable passwords, continue to be discovered and it’s unacceptable that these are not being fixed by manufacturers,” said Dr Ian Levy, technical director, National Cyber Security Centre. “This innovative labelling scheme is good news for consumers, empowering them to make informed decisions about the technology they are bringing into their homes.”
Initially, the security label would be launched as a voluntary scheme to help consumers identify products that have basic security features and those that don’t.