The Product Security and Telecommunications Infrastructure (PSTI) Act has come into effect today, requiring manufacturers of consumer-grade IoT products sold in the UK to stop using guessable default passwords and have a vulnerability disclosure policy.
“Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence, with fines up to £10 million or 4% of qualifying worldwide revenue (whichever is higher),” Carla V, National Cyber Security Centre’s Citizen Resilience Officer, pointed out.
About the legislation
The PSTI Act covers internet- and network-connectable products, including “smart”:
- TVs, streaming devices, speakers
- Games consoles, smartphones, tablets
- Base stations and hubs
- Home automation and alarm systems
- “Wearables”: smart watches, fitness trackers, etc.
- Home appliances (thermostats, washing machines, light bulbs, fridges, home assistants, etc.)
- Security devices (doorbells, security camers, baby monitors, etc.)
- Children’s toys
According to the Act, each product must be secured “out-of-the-box” with a unique password that’s not based on incremental counters on or derived from publicly available information or unique product identifiers, and not easily guessable. Users must also be able to change it.
“The manufacturer must provide information on how to report to them security issues about their product. The manufacturer must also provide information on the timescales within which an acknowledgment of the receipt of the report and status updates until the resolution of the reported security issues can be expected by person making the report. This information should be made available without prior request in English, free of charge. It should also be accessible, clear and transparent,” the UK Department for Science, Innovation and Technology explains.
Finally, the manufacturers must make available – “in English, free of charge and in a such a way that is understandable for a reader without prior technical knowledge” – information on how long the product will be receiving security updates.
“This legislation must now be backed by strong enforcement, including against online marketplaces that are flooded with insecure products, to prevent consumers purchasing internet-connected devices that threaten their security and may leave them needing to replace otherwise usable products,” said Rocio Concha, Director of Policy and Advocacy at UK’s consumer champion Which?
The Office for Product Safety and Standards (OPSS) – which is part of the Department for Business and Trade – will be responsible for enforcing the Act.
IoT cybersecurity laws in the EU and US
It could be argued that the disruptive 2016 DDoS attack on Dyn by miscreants that gathered “un-updateable” IoT devices with hardcoded passwords into a botnet was the moment when the need for legislation such as the PSTI Act became obvious.
A variety of government and standards organizations have since published guidelines and recommendations for IoT manufacturers to improve the cybersecurity of their products, but this is the first national law that mandates specific security-related improvements.
In Europe, the Cybersecurity Act (2019) has introduced voluntary cybersecurity certification schemes for ICT products, services, and processes, but the upcoming Cyber Resilience Act (CRA) is expected to introduce mandatory cybersecurity requirements.
In the US, the IoT Cybersecurity Improvement Act of 2019 outlined minimum security standards for IoT devices used by the federal government, and California and Oregon passed a state law that requires manufacturers of Internet-connected devices sold in those states to equip them with “reasonable security features” such as a unique default password.
These laws are hopfully just the first of many and will be strengthened throughout the years. The responsibility of keeping IoT devices secure is finally being partially shifted on manufacturers.