Firstly, all IoT device passwords must be unique and unable to be reset to universal factory settings. Secondly, manufacturers must clearly provide a point of contact so anyone can get in touch to report a vulnerability, and finally, manufacturers must make it crystal clear how long their devices will receive security updates for, at the point of sale.
The proposed rules -- which are relatively straightforward from a manufacturers' point of view -- come after a long consultation period, whereby officials explored the potential impact of the growing popularity of connected devices: government research indicates there will be some 75 billion internet connected devices in homes around the world by the end of 2025. It's hoped such legislation will help prevent attacks that have, in the past, had widespread consequences. In 2016, for example, a Mirai botnet hacked into connected home devices and took down large chunks of the internet.
Nicola Hudson, policy and communications director at the National Cyber Security Centre -- which created the new rules -- said that the law "will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past."
The government says it's planning on implementing the law as soon as possible, although it will first be run on a voluntary basis while officials observe its effectiveness. The government also says that it is now working on developing these rules further in a way that "supports the long term growth of the IoT," and plans to work with international partners to help "drive a consistent, global approach to IoT security."