The requirements are pretty basic.
- All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
- Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
- Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online
Also see: Strong Passwords Matter
The government is perhaps overselling the benefits.
Digital Minister Matt Warman said: “We want to make the UK the safest place to be online with pro-innovation regulation that breeds confidence in modern technology. Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people’s privacy and safety. It will mean robust security standards are built in from the design stage and not bolted on as an afterthought.”
All the same, even preventing the use of default passwords is a lot better than nothing. There are a huge number of network cameras out there, for example, with default passwords which many owners don’t bother to change.
Apple’s HomeKit protocol aims to make smart home devices secure by addressing security at a more fundamental level. Devices and whatever hub is controlling them (be it a manufacturer bridge or an Apple TV, HomePod or iPad in hub mode) must use encrypted communications. The hub must ensure that the device is a certified one before sending it a command, and the device must check that the hub is certified before obeying it.