Proposed new UK legislation will require device makers to provide vital security information to consumers at the point of sale to help protect against cyber-attack.

The problem is that consumers are buying more and more smart devices – be it smart phones, speakers, doorbells or whatever – but are given little to no information on how secure those devices are. Or, more specifically, for how long the manufacturer will continue to push out security updates.

The government cited research published late last year by consumer group Which? that showed one third of people kept their last phone for more than four years, but some device makers only offer security updates for just over two years, thus putting a sizeable number of people at risk.

And more to the point, those people don’t know that they are at risk.

To address that, the government intends to make device manufacturers share details of the duration of their planned security updates upfront, at the point of sale, so consumers know for how long their devices will be protected and can then act accordingly.

Whether having that information will inform buying decisions – consumers could conceivably show a preference for devices with longer support cycles – and whether the requirement will encourage manufacturers to extend support periods remains to be seen. But either way, it’s clearly a good move; knowledge is power, after all.

It is also a timely move.

A government report on consumer attitudes to IoT security, also published at the back end of last year, showed that almost half of UK households purchased at least one smart device since the start of the Covid-19 pandemic last March, the average being two purchases per household. Smartphones and laptops topped the list of smart device buys, with 17% of households purchasing the former and 11% the latter, but smart speakers, tablets, connected TVs, smart watches, games consoles, smart home devices and many others also featured.

“These everyday products – such as smart watches, TVs and cameras – offer a huge range of benefits, yet many remain vulnerable to cyber attacks,” the government said, in a statement. And just to hammer home its point, it reminded us that a few years ago hackers were able to steal data from a North American casino by exploiting a vulnerability in a connected fish tank, and warned of hostile groups gaining access to webcams.

Scary stuff.

The new law aims to tackle it though. In addition to requiring manufacturers – the government specifically highlighted the big guns: Google, Apple and Samsung, although it will apply to all – to share information on security updates, the legislation will bar vendors from using easy-to-guess security information in factory settings, such as ‘password’ and ‘admin,’ and will make them provide a public point of contact to make it simpler for people to report any vulnerability.

“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords,” said Digital Infrastructure Minister Matt Warman.

“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic,” he said.

‘Torpedo’ is a strong word, particularly given that experience has demonstrated the tenacity of cyber attackers. However, this is important legislation that will make a real difference to consumers, as evidenced by the raft of supporting comments the government included in its announcement from various security bodies and consumer groups. Nothing from the manufacturers themselves though…

So, when can we hope to benefit from the new rules? “The government intends to introduce legislation as soon as parliamentary time allows,” the announcement concludes.