UK bans devices with weak passwords

Under new rules, manufacturers must prompt users to change generic passwords during setup

The government has enacted a law that bans internet-connected devices from having weak default passwords.

This means everyday tech, from smartphones and TVs to smart doorbells, must now meet minimum security standards.

The new regulations, which came into effect on Monday, aim to protect consumers from hackers who exploit easily guessable passwords like "admin" or "12345."

The legislation, the Product Security and Telecommunications Infrastructure Act (PSTI) of 2022, is the first of its kind in the world and aims to improve cybersecurity for consumers and businesses alike.

The new law means that manufacturers most now ensure their devices are secure and prompt users to change any generic passwords during setup.

Companies must also make contact information readily available for users to report bugs and vulnerabilities in their products.

Additionally, manufacturers are required to clearly communicate how long security updates will be provided for each device.

Non-compliant devices could face recall, but the bigger deterrent might be the hefty fines - up to £10 million or 4% of a company's global revenue.

The new changes are expected to boost consumer confidence in the security of smart devices, a growing concern as cyberattacks - and awareness of them - on individuals and businesses continue to rise. The urgency for increased security is further emphasised by the ever-growing number of internet-connected devices in our homes.

A typical UK household boasts an average of nine connected devices, with smart TVs, voice assistants, and fitness trackers becoming commonplace, according to a recent study. These seemingly innocuous gadgets, however, can be exploited by hackers, potentially compromising home networks and exposing sensitive data.

"As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater," said Science and Technology Minister Jonathan Berry.

"From today, consumers will have greater peace of mind that their smart devices are protected from cybercriminals."

The enforcement of the PSTI regime falls under the Office for Product Safety and Standards (OPSS), who will be responsible for providing clear guidelines to manufacturers and taking action against those who fail to comply.

Commenting on the new regulation, Sylvain Cortes, VP Strategy at Hackuity, said, "The requirements of the new PSTI Act in the UK are a welcome development in protecting consumers from the security risks of connected devices."

"These devices are part of our daily lives, but the fact is that many were designed with ease of use rather than security in mind, which provided an open door for cybercriminals to exploit. With the new regulations, consumer IoT devices will now have to have a vulnerability disclosure programme so that weaknesses can be properly dealt with.

"This is a more robust framework to ensure smart devices meet minimum-security standards and represents a significant step forward in ensuring the safety of the IoT ecosystem."

Steve Bradford, Senior Vice President EMEA, SailPoint, noted: "It's important we stamp out weak passwords for good. Passwords are one of our most widely used security controls, but often they're overlooked or abused. The common advice is to make these strong and unique – so we need to be encouraging these practices right from the start, and we need manufacturers to help set that precedent."

"But protecting accounts doesn't stop there. In today's complex digital landscape, individuals and businesses need to do more to keep hackers at bay. Tools such as multifactor authentication (MFA) should be used, providing an additional layer of protection to all online accounts. Using free password managements tools can also lend a hand in creating complex passwords for accounts and storing them securely, eliminating the need for user memory. Tools like these should be standard practice for businesses and users alike."