New UK product security law won't be undercut by rogue traders upping and vanishing, government boasts
El Reg asks about phoenixing – but will answer convince world+dog?
Britain's plans to force internet-connected device vendors to declare legally binding product lifespans won't be easily evaded by shell companies, the government has told The Register.
After the Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced to Parliament last week, some questioned whether the legislation would prevent unscrupulous manufacturers and importers from avoiding legal liability by setting up shell companies.
The proposed new law will, so government spokespeople say, make manufacturers, importers, and vendors declare what a product's supported lifespan is to consumers at the point of purchase. In effect this means anyone involved in consumer internet gadget supply chains is offering a form of product support warranty.
Government intent is to prevent suppliers of cheap IoT gadgets (and mobes 'n' fondleslabs) from dumping them on the UK market and running away without offering security updates if vulnerabilities are later discovered. Product-pwning vulns typically let malicious people turn the pwnable gadget into a botnet component, or worse.
A DCMS spokesman told us: "UK regulators are experienced in dealing with rogue traders and these new laws don't just cover distributors but also manufacturers and importers, which will lead to a reduction in the number of insecure products on the market."
Importers and disties will be legally obliged, in some circumstances, to tell their customers (who might not be end-user consumers) that a vuln has been discovered in any internet-connected gizmos they've brought into Britain, as clauses 18(3) and 18(4) of the Bill suggest [PDF].
- UK.gov emits draft IoT and smartphone security law for Parliamentary scrutiny
- The Internet of Things is a security nightmare, latest real-world analysis reveals: Unencrypted traffic, network crossover, vulnerable OSes
- Hard to believe but Congress just approved an IoT security law and it doesn't totally suck
- Research finds consumer-grade IoT devices showing up... on corporate networks
"We are also educating people on the risks of cyber crime, including through our recent CyberAware Black Friday campaign, meaning rogue traders will find it harder to sell substandard products," added the rather optimistic DCMS spokesman.
The PSTI bill will give government figures the power to order product recalls if DCMS believes a particular item breaches minimum UK security standards. Those standards will be created in legally binding regulations intended to be rubberstamped into law as a statutory instrument after the PSTI Bill itself; the bill creates the legal framework that the regulations will flesh out.
Government has claimed the as-yet-unpublished regulations will ban default admin passwords, among other things.
Some industry sources, who wanted to remain anonymous, told The Register, that if the regulations were not subject to public debate before being nodded through by Parliament, they would set a standard that was too high or costly for IoT device importers and vendors to meet.
We are told by DCMS that failing to comply with an enforcement notice issued under the PSTI bill's regulations will be enforceable against UK-based directors and officers of shell or shadow companies.
This follows the latest global regulatory trend of demanding companies have a locally incorporated subsidiary before permitting them to do business inside a country, with cynical people characterising this as the taking of local hostages to ensure obedience. ®