New UK law bans default passwords on smart devices

   April 30, 2024  Posted in Securityaffairs


NCSC: New UK law bans default passwords on smart devices

Pierluigi Paganini
April 30, 2024

The UK National Cyber Security Centre (NCSC) orders smart device manufacturers to ban default passwords starting from April 29, 2024.

The U.K. National Cyber Security Centre (NCSC) is urging manufacturers of smart devices to comply with new legislation that bans default passwords.

The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will be effective on April 29, 2024.

“From 29 April 2024, manufacturers of consumer ‘smart’ devices must comply with new UK law.” reads the announcement published by NCSC. “The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks.”

The U.K. is the first country in the world to ban default credentia from IoT devices.

The law prohibits manufacturers from supplying devices with default passwords, which are easily accessible online and can be shared.

The law applies to the following products:

  • Smart speakers, smart TVs, and streaming devices
  • Smart doorbells, baby monitors, and security cameras
  • Cellular tablets, smartphones, and game consoles
  • Wearable fitness trackers (including smart watches)
  • Smart domestic appliances (such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners, and washing machines)

Threat actors could use them to access a local network or launch cyber attacks.

Manufacturers are obliged to designate a contact point for reporting security issues and must specify the minimum duration for which the device will receive crucial security updates.

The NCSC clarified that the PSTI act also applies to organizations importing or retailing products for the UK market, including most smart devices manufactured outside the UK. Manufacturers that don’t comply with the act will be punished with fines of up to £10 million or 4% of qualifying worldwide revenue.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, smart device manufacturers)





Source link