Your smart devices could finally be about to get a whole lot more secure

(Image credit: Shutterstock / vladwel)

Connected devices will finally get a major security upheaval to stop them from becoming easy prey to hackers following a major step forward by the UK government.

Under new plans revealed by the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC), any product that is able to connect to the Internet will need to come with a unique pre-set password, or demand the customer set one up before use.

The plans look to address one of the central flaws affecting millions of supposedly "smart" devices such as routers, televisions, and even fridges, that ship every year with default or easy to guess passwords.

IoT security

Under the new rules, businesses could face financial penalties for failing to ensure proper security protection, or be forced to recall substandard products.

Device makers could also be forced to declare the minimum amount of time they will continue to provide security updates for a product after purchase, and disclose how consumers be able to contact them in the event of finding a security flaw.

“This is a significant step forward in our plans to help make sure smart products are secure and people’s privacy is protected,” digital minister Matt Warman said.

“I urge organisations to respond to these proposals so we can make the UK the safest place to be online with pro-innovation regulation that inspires consumer confidence in our tech products. People should continue to change default passwords on their smart devices and regularly update software to help protect themselves from cyber criminals."

The plans are now being sent out to the industry at large, as well as consumer groups, in order to gather feedback, before potentially being finalised later this year. A government spokesman told the BBC the new law will still need to face scrutiny from parliament, but could be enforced as soon as next year.

Much of the proposed changes are currently part of a voluntary code of practice introduced back in 2018, but many devices still fall short. It is hoped the rules will also soon be globalised, with European Telecommunications Standards Institute (ETSI) hard at work on a worldwide rollout.

Devices that are able to connect to the Internet of Things have been a security worry for some time, due largely to the fact that there is no set of overriding principles concerning security protection for new releases.

This has led huge numbers of devices to ship with default passwords such as "admin", making them easy prey for hackers.

Large numbers of devices can be hacked and pulled together into large-scale botnets, which can be used to target specific organisations or networks by bombarding them with traffic - as seen with the notorious Mirai botnet, which took down a number of high-profile targets back in 2016.


Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.