UK to ban internet-connected device manufacturers from using default passwords

A draft Product Safety and Telecommunications Infrastructure (PSTI) Act has been submitted to the British Parliament for consideration. A set of regulations has been proposed to UK lawmakers to improve the security of electronic devices connected to the Internet. In particular, they contain a ban on the manufacturers of such devices from using easily guessed default passwords, an obligation to name the release dates of security updates and other requirements, for failure to comply with which a huge penalty could be imposed.

The new rules were originally proposed last year after lengthy consultations. They have changed little since then.

The aforementioned prohibition on the use of easily guessed default passwords will prevent manufacturers from using, for example, such classic options as password and admin. According to the law, all passwords that come with new devices “must be unique and not reset to any universal factory settings.”

With the new law, the government hopes to limit attacks on home appliances. Statistics show that its adoption is a must: in the first half of 2020 alone, cybercriminals launched 1.5 billion attacks on IoT devices.

Compliance with the rules will be monitored by a regulatory body, which will be appointed after the law comes into force. Fines for violations can be as high as £ 10 million, or 4% of the offending company’s gross income. The law applies not only to manufacturers, but also to businesses that import products covered by the law into the UK. The list includes smartphones, routers, CCTV cameras, game consoles and home speakers, as well as household appliances and toys with internet access.