By The Newsroom

Published 4th Mar 2023, 11:00 BST

The market in smart products has truly taken off in recent years, with some industry experts suggesting it could be a global market worth £370 billion by 2030.With so much riding on consumer confidence in this growth industry, it would be nice to presume that the products we buy will meet basic minimum cyber-security standards. But unfortunately, as Which? investigations have repeatedly revealed, that is often far from the case.That’s in large part because there have been no legal requirements for a product to be secure, creating a wild west of product insecurity.

From doorbells to wi-fi routers, smart speakers to smartphones, we’ve found that hackers can easily infiltrate the security of these common domestic items - particularly after they’ve stopped receiving vital software updates - leaving them open to a range of malicious opportunities, including surveillance and data theft.

Encouragingly, the government has introduced new laws to tackle this issue. The Product Security and Telecommunications Infrastructure (PTSI) Act may not roll off the tongue, but it does aim to address important issues around quality control over security standards. This is welcome - and something Which? has campaigned on for years - not least because so many of the smart products we have in our houses are ‘connected’.So, what does the PTSI Act mean for manufacturers, distributors and retailers in the future? First, they will have to clearly inform customers at the point of sale how long they will support devices - in essence providing a ‘best before’ date. This means customers can pick the company with the best support length, so there are no nasty surprises later down the line.

The market in smart products has truly taken off in recent years, with some industry experts suggesting it could be a global market worth £370bn by 2030.

Second, brands will also need to ensure that customers won’t risk buying a device with a weak default password that’s easily guessable by hackers. Clearly, the weaker the password, the easier a device is to hack. As the products in our homes become smarter, the more potential there is for other connected devices to become compromised too. Infiltrating a smart doorbell, for instance, could allow a hacker to access your entire home network.

Third, new laws will mean better reporting of security issues. This means it will now be far easier for security researchers and organisations like Which? to report security problems, forcing the manufacturer to assess whether it can be fixed or if there’s a need for further action. In theory, it will become far easier to spot security issues, report them and get solutions than has been the case in the past.

As products become smarter, legislation needs to keep up. Which? has worked with successive governments to tackle poorly-designed and insecure smart products that leave consumers unwittingly exposed to hackers. We’ve heard distressing stories of people’s ex-partners managing to exploit weak security on devices such as wi-fi routers and smart speaker devices to carry out abuse. These new laws should make that much more difficult.

The government must make sure manufacturers and sellers are clear about how long products will receive security updates and should even go further by specifying minimum periods for smart device support.

As is so often the case, new legislation is only as good as its regulation and enforcement. The PSTI Act, which will likely come into effect in 2024, is going to cover a vast range of products, from televisions to smart toys and from washing machines to wireless security cameras, so the regulator needs to be up to the challenge. Which? expects to see these new laws backed by strong enforcement, including against the online marketplaces that our investigations have repeatedly found to be flooded with insecure products. Consumers need confidence that the internet-connected products they buy online are secure.

New laws aim to ensure internet products are made secure - Rocio Concha of Which?