UK Sets Global Precedent with New Smart Device Security Law Banning Default Passwords
Charles M. Walls | April 30, 2024 | Views: 168
The UK's National Cyber Security Centre (NCSC) has mandated that manufacturers of smart devices eliminate default passwords in a robust new legislative move set to take effect on April 29, 2024. This directive is part of the Product Security and Telecommunications Infrastructure Act (PSTI Act), aimed at ensuring consumers purchase smart devices fortified against cyber threats.
Under the new regulations, manufacturers must avoid using easily guessed default passwords, establish a contact point for reporting security vulnerabilities, and clearly communicate the timeframe for which security updates will be provided. While default passwords are typically vulnerable to discovery and misuse online, the legislation allows for the use of unique default passwords.
The PSTI Act enforces minimum security standards to safeguard devices from becoming part of massive Distributed Denial of Service (DDoS) attacks, like those orchestrated by the infamous Mirai botnet. The act covers a wide range of internet-connected devices, including smart speakers, TVs, streaming devices, smart doorbells, baby monitors, security cameras, cellular tablets, smartphones, game consoles, wearable fitness trackers, and various smart home appliances like light bulbs and thermostats.
Failure to comply with these standards could lead to severe repercussions for companies, including product recalls and heavy fines—potentially as much as £10 million or up to 4% of the company's global annual turnover, whichever is greater. This legislation positions the UK as the pioneer in prohibiting default usernames and passwords in Internet of Things (IoT) devices, a necessary step given the persistence of Mirai-based attacks, as reported by Cloudflare in their DDoS threat report for the first quarter of 2024.
Additionally, the context of digital security and privacy was highlighted by a recent hefty $196 million fine levied by the US Federal Communications Commission (FCC) against major telecom carriers like AT&T, Sprint, T-Mobile, and Verizon. These fines were for illegally selling customers' real-time location data without consent to third parties. This breach of trust, spotlighted by US Senator Ron Wyden in 2018, underscores the ongoing challenges and importance of securing personal data in the digital age.