from Hacker News

Tougher rules for sellers of internet-enabled devices in the UK

by timmb on 4/29/24, 10:21 AM with 68 comments

  • by askvictor on 4/30/24, 7:28 AM

    We had to recently look at this as we sell our product in the UK. The rules are really quite pissweak. From the article:

    * that password procedures are more secure, including ensuring any set by the manufacturer are not left blank or using easy-to-guess choices like "12345" or "admin"

    Reasonable. But that's a _really_ low bar.

    * that there is clarity around how to report "bugs" or security problems that arise

    i.e. an email address published on the vendor website. No actual requirement to take action.

    * that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying

    which means nothing if the manufacturer goes bankrupt.

  • by Beretta_Vexee on 4/30/24, 7:39 AM

    It's a greatly diluted version of article relative to IoT from the European Cybersecurity Act (Regulation (E.U.) 2019/881 of April 17 2019), 4 years after everyone.

    https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...

    Nothing new or interesting. If the products were already on the market in the European Union, they had already been subject to stricter requirements for 4 years.

    The only change is that seller now have to display this information in the UK, whereas before they were not obliged to do so.

  • by petepete on 4/30/24, 7:09 AM

    While this move is clearly sensible the number of people importing absolute junk from Temu/AliExpress/Shein means millions of homes will be exploitable regardless.

  • by surfingdino on 4/30/24, 7:10 AM

    > that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying

    This is important. I noticed Epson publishing information on the length of support for their printers already.

  • by Fizzadar on 4/30/24, 10:56 AM

    Heh, saw the UK in the headline and expected another leap towards our 1984 inspired future. Nice to see a change that actually benefits us that live here! Small step in the right direction.

  • by leoedin on 4/30/24, 9:48 AM

    The law itself says very little about what products do - it works similarly to other laws around machines and devices, where the heavy lifting is relegated to industry accepted standards. This is how CE marking (and the somewhat stalled UKCA mark) works - the law says you have to show that your device complies with industry standards, you produce a bunch of documentation showing this, you can give it a CE mark. It's all self-certified - there's no central body which will check.

    It was surprisingly hard to work out the actual standards you need to comply with. It seems it's mostly ETSI EN 303 645, which is an IoT security standard for consumer devices. This is actually a fairly pragmatic checklist of things your device should do. It's a good thing this is now mandated by law. You can see the standard here: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...

    There's an ARM "Platform Security" framework which cross-checks against that standard - so if you can tick all their boxes you're compliant with the law. https://www.arm.com/architecture/psa-certified

    It's nice that this standard is openly available - so many of the standards you must comply with to legally sell a product in the EU are hidden behind expensive paywalls. It's absurd that complying with EU and UK law requires paying a 3rd party sometimes hundreds of Euros.