New law will issue bans, fines for using default passwords on smart devices

New law will issue bans, fines for using default passwords on smart devices

The idea of connecting your entire home to the internet was once a mind-blowing concept. Thanks to smart devices, that concept is now a reality. However, this technological advancement aimed at making our lives more convenient—not to mention very cool and futuristic!—has also opened a wide door for potential cybercriminals.

New figures from a recent investigation conducted by Which?, the UK’s leading consumer awareness and review site, say that smart devices could be exposed to over 12,000 hacking and unknown scanning attacks in a single week. And smart devices are big news—a study commissioned by the UK government in 2020 revealed that almost half (49 percent) of UK residents purchased at least one smart device since the pandemic started.

And because of our high propensity to forgo changing default passwords that came with the smart devices we buy, we’re essentially putting ourselves—our homes and our family’s data and privacy—at the forefront of online attacks without us knowing.

To help address this cybersecurity and privacy problem, the UK government will soon roll out the Product Security and Telecommunications Infrastructure (PSTI) Bill that bans the use of default passwords for all internet-connected devices for the home, which we all call the Internet of Things (IoT). This law covers smartphones, routers, games consoles, toys, speakers, security cameras, internet-enabled white goods (fridge, washing machine, etc.) but not vehicles, smart meters, smart medical devices, laptops, and desktop computers. Firms that don’t comply will face huge fines.

The BBC has highlighted three new rules under this bill:

  • Easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default
  • Customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn’t get either, that must also be disclosed
  • Security researchers will be given a public point of contact to point out flaws and bugs

A regulator will be appointed to oversee this bill once fully enforced. They will also have the power to fine manufacturers of vulnerable smart devices and the markets that sell them (Amazon, for example) up to £10M GBP or 4% of their global earnings. They can also impose an additional fine of £20,000 a day if the company continues to be in violation with the law.

“This is just the first step”

Julia Lopez, the Minister of State at the Department for Digital, Culture, Media and Sport, said: “Our bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those that fall foul of tough new security standards.”

While Ken Munro, a security consultant for Pen Test Partners, told the BBC he sees the bill as a “big step in the right direction”, he also cautions about complacency, “However, it’s important that government acknowledges that this is just the first step. These laws will need continual improvement to address more complex security issues in smart devices,” he said.