New law could force tech firms to say how long smartphones will receive updates

Smartphone makers could be forced to say for how long handsets will be guaranteed to receive important security updates under new laws proposed by the Government.

The move is part of wider plans to make sure “virtually all” smart devices meet tighter security requirements, including smart speakers and video doorbells.

Easy-to-guess universal default passwords such as “password” and “admin” would also be banned.

At present, when buying a new smartphone, it is not always entirely clear how long the manufacturer intends to send out updates which are vital for patching any software flaws that are found.

Should the laws be approved, device makers would be compelled to tell customers the duration of time security software updates will be made available at the point of sale.

It is hoped the change will help prevent users from unwittingly exposing themselves to cyber threats by using an outdated device that may no longer be secure.

“Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems,” said Matt Warman, digital infrastructure minister.

“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.

“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”

Under the proposals, manufacturers will also be expected to provide a simple point of contact for the public to report any vulnerabilities they spot.

The Internet of Secure Things (IoXT) Alliance – whose members include the likes of Google, Amazon and Facebook – welcomed the reforms, calling the plan a “critical step to demand more from IoT (Internet of Things) device manufacturers and to better protect the consumers and businesses that use them”.

Concerns come after research commissioned by the Government suggested that almost half (49%) of UK residents have purchased at least one smart device since the coronavirus pandemic began.

Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC), said: “Consumers are increasingly reliant on connected products at work and at home.

“The Covid-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough.

“To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now.”