Smartphones will be included in the scope of a planned “security by design” U.K. law aimed at beefing up the security of consumer devices, the government said today. It made the announcement in its response to a consultation on legislative plans aimed at tackling some of the most lax security practices long-associated with the Internet of Things (IoT). The government introduced a security code of practice for IoT device manufacturers back in 2018 — but the forthcoming legislation is intended to build on that with a set of legally binding requirements. A draft law was aired by ministers in 2019 — with the government focused on IoT devices, such as webcams and baby monitors, which have often been associated with the most egregious device security practices. Its plan now is for virtually all smart devices to be covered by legally binding security requirements, with the government pointing to research from consumer group “Which?” that found that a third of people kept their last phone for four years, while some brands only offer security updates for just over two years. The forthcoming legislation will require smartphone and device makers like Apple and Samsung to inform customers of the duration of time for which a device will receive software updates at the point of sale. It will also ban manufacturers from using universal default passwords (such as “password” or “admin”), which are often preset in a device’s factory settings and easily guessable — making them meaningless in security terms. California already passed legislation banning such passwords in 2018 with the law coming into force last year. Under the incoming U.K.