Ask Rocio: how do we feel about the safety of smart goods?

Dear Rocio.

I am a supplier of electrical products, including smart devices. How can I make sure I comply with the new state product safety laws?

name and address provided

Rocío says: The smart product market has really taken off in recent years, with some industry experts speculating that its global market could be worth £370 billion by 2030.

Since consumer confidence is so heavily reliant on this growing industry, it would be a good idea to assume that the products we buy meet minimum cybersecurity standards. But alas, if Which? Research has repeatedly shown that this is often far from the case.

This is largely due to the lack of legal requirements for the safety of the product, which leads to the unreliability of the product in the Wild West.

From doorbells to Wi-Fi routers and smart speakers to smartphones, we’ve found that hackers can easily compromise the security of these everyday household items, especially once they stop receiving critical software updates, exposing them to a range of malicious opportunities. including surveillance and data theft.

It is encouraging that the Government has adopted new legislation to deal with this problem. The Product Security and Telecommunications Infrastructure Act (PTSI), although not unscheduled, addresses important issues related to quality control of security standards. It’s welcome – and something Which? has been campaigning for years – not least because so many of the smart products we have at home are “connected”.

What does PTSI mean for manufacturers, distributors and retailers in the future? First, they must clearly communicate to customers at the point of sale how long they will support the devices—essentially with an expiration date. This means customers can choose the company with the best support duration so there are no nasty surprises later.

Second, brands also need to ensure that customers don’t risk buying a device with a weak default password that hackers can easily guess. Of course, the weaker the password, the easier it is to hack the device. As the products in our homes become smarter, other connected devices are also more likely to be compromised. For example, by breaking into a smart doorbell, a hacker can gain access to your entire home network.

Third, new laws will enable better reporting of security vulnerabilities. This means that it is now much easier for security researchers and other organizations to Which? to report security vulnerabilities when a manufacturer needs to evaluate whether a problem can be fixed or if further action is required. In theory, it will be much easier to detect, report, and fix security issues than it has been in the past.

As products become smarter, legislation needs to keep up with the times. Which? worked with successive governments to combat poorly designed and insecure smart products that unwittingly put consumers at risk from hackers. We’ve heard disturbing stories from former partners about people taking advantage of weak security in devices like Wi-Fi routers and smart speakers. These new laws should make it much more difficult.

The government must ensure that manufacturers and vendors know exactly how long products will receive security updates, and must go even further by setting minimum time periods for supporting smart devices.

As is often the case, new laws are only as good as their regulation and enforcement. The PSTI law, which is expected to come into force in 2024, will cover a wide range of products, from TVs to smart toys and from washing machines to wireless security cameras, leaving the regulator free to deal with the issue. Which? expects these new laws to be backed up by strong enforcement, including in relation to online marketplaces, which our research has shown have been repeatedly flooded with unsafe products. Consumers need to be confident that the internet-connected products they buy online are safe.

Rocio Concha – Director of Policy and Advocacy at Which? Please send an email to [email protected]so that your questions appear on this page