Internet-connected gadgets will need to be preset with a unique password or require the owner to set one before use, as part of plans for a UK cybersecurity law.
Manufacturers may need to be reminded of non-compliant products and may also be fined.
The government is now seeking feedback from consumer groups and industry experts to shape its final legislation.
An expert said that the new rules would need “strong enforcement”.
The “call for views” is the last step to introduce a cybersecurity law, which was first presented in May 2019.
Other proposals include an obligation for manufacturers to indicate the minimum period of time that they will continue to provide security updates for a product after purchase.
Matt Warman, minister of digital infrastructure, said that until the law is passed, families should make sure that they have changed the default passwords of all Internet-connected devices to “protect themselves from cyber criminals”.
Millions of so-called “internet-of things” (IoT) devices are already in use in the UK, ranging from smart speakers and thermostats to security cameras and televisions.
But the government fears that the brands behind these products sometimes preload them with one of the few dozen common passwords, which are not subsequently reset by the owners.
As a result, cybercriminals can easily violate and steal personal data, spy on users and even take remote control of products.
In some cases, this involves hijacking devices to organize follow-up attacks, as part of what is known as a “botnet”.
In 2016, the Mirai botnet, made up of hundreds of thousands of hacked products for the internet of things, flooded the data targets, causing the deactivation of Reddit, Spotify and Twitter among other services.
The new rules propose financial penalties for companies that do not respect the rules. Courts would also be able to order that their products be confiscated or destroyed.
It is suggested that manufacturers would be prohibited from allowing users to restore their devices to an easy-to-guess “universal factory setting”.
Device manufacturers should also tell the public how to contact them to report a security vulnerability.
If necessary, authorities could order a temporary sale ban during the investigation and resolution of a problem, or permanently withdraw items from stores if they deem it necessary.
“Some smart device manufacturers are improving the safety of their products, but not for nothing,” said Ken Munro of Pen Test Partners, a Buckingham-based company responsible for exposing many high-profile gadget flaws.
“We need strict regulation and enforcement. If consumers are confident that IoT products are safe, more people will be confident of buying them.”
A government spokesman said the law will apply across the UK and could be applied as early as 2021 or 2022, but this will depend on how long it will be subject to parliamentary scrutiny.