UK.gov wants mobile makers to declare death dates for their new devices from launch
IoT security plan suddenly thrusts into the mainstream
Phone, tablet, and IoT gadget makers will have to state when they'll stop providing security updates for new devices entering the market, the UK's Department for Culture, Media and Sport (DCMS) vowed this morning.
Today's pledge would see existing plans for internet-connected tat extended to smartphones and tablets, which is a large step for a scheme originally put together for landfill Internet-of-Things devices such as webcams.
Digital Infrastructure Minister Matt Warman said in a canned statement: "Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems."
The £70m Secure by Design plan has been telegraphed by the DCMS for years, though today's extension to everyday smartphones is notable.
On top of this, smart device makers will also be banned from publishing default admin passwords for their wares. Such admin passwords are a standard method for digital crims to break into a device or the network to which it is connected.
A government-sponsored study from University College London two years ago, highlighted today by DCMS, said typical IoT devices come with no crime prevention advice, which is presumably the sort of finding that UK.gov enjoys seeing public money poured into.
The plans are likely to meet stiff opposition from device makers as end-of-life dates for devices are usually an open secret among the tech-savvy but stating them at the launch of a brand new bit of hardware is unlikely to be popular with manufacturers' marketing teams.
Gov-backed consumer org Which? supported the move, stating: "This must be backed up by strong enforcement, ensuring people can get effective redress when they purchase devices that fail to meet security standards and leave them exposed to data breaches and scams."
The National Cyber Security Centre's dogfood-munching technical director Ian Levy said in a canned statement: "DCMS' publication builds on the 2018 Code of Practice and ETSI EN 303 645 to clearly outline the expectations on industry. To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now."
He added: "It is also important to support uptake of good practice and provide industry with opportunities to innovate. I'm pleased to see the pilots, funded by DCMS, begin to test ways in which customers will be able to gain confidence in the security of these devices." ®