The UK has taken a pioneering step by introducing new laws aimed at safeguarding consumers against hacking and cyber-attacks while using internet-connected smart devices such as baby monitors, televisions, and speakers. Under these new laws, manufacturers are required to adhere to basic security standards, effectively prohibiting the use of weak, easily guessable default passwords such as ‘admin’ or ‘12345’. Additionally, in instances where a common password is employed, users will be prompted to change it upon startup.
In many cases, when consumers purchase a smart home device or even something as crucial as a wireless router, it frequently comes with a pre-configured password straight out of the box. These passwords are often alarmingly weak. For instance, certain routers come preset with ‘admin’ as both the username and password, which poses a significant security risk. However, such practices will no longer be permissible in Europe following the enactment of separate cybersecurity laws by both the UK and the EU.
This legislative initiative is particularly timely given recent statistics indicating that 99% of UK adults own at least one smart device, with the average UK household boasting nine connected devices. By implementing these measures, the UK is taking significant strides in protecting its defences against cyber-crime. Additionally, the government hopes these new laws will instill confidence among consumers regarding the purchase and use of connected smart and IoT devices, thereby helping to grow businesses and the broader economy.
What the experts are saying:
Jamie Akhtar, CEO at CyberSmart: “This law has been a long time coming and lawmakers have made a great start in tackling the risks associated with IoT devices. This coupled with the NCSC’s point-of-sale guidance will undoubtedly help consumers (and businesses) implement baseline security measures for IoT devices.
“However, the legislation could and should go further. Manufacturers bear a responsibility to consumers to ensure that their products are as secure as possible. This legislation is a little ‘light touch’ in that regard. Just 3 of the top 13 requirements from the ETSI EN 303 645 standard for consumer IoT security (which the law took inspiration from) are included in the final legislation, leaving it a little weak in some aspects.
“In short, it’s a great start but we look forward to it being built upon by future legislation.”
Mayur Upadhyaya, CEO of APIContext: “The new UK law requiring stronger security for smart devices, including eliminating weak passwords, is a welcome step forward for consumer cybersecurity. This forces manufacturers to prioritise security from the outset, significantly reducing the risk of unauthorised access and cyberattacks. Consumers benefit from a baseline level of protection “out of the box,” while manufacturers may see long-term gains in consumer trust and sales.
“However, it’s important to remember that connected devices often communicate with each other and external services via APIs (Application Programming Interfaces). While the PSTI Act addresses device security, further guidance on API security is still needed. Stronger authentication mechanisms for APIs are crucial to prevent unauthorised access and data breaches. This focus on a holistic ecosystem of secure devices and authenticated APIs will ultimately lead to a more robust and resilient digital landscape.”
Javvad Malik, lead security awareness advocate at KnowBe4: “For too long, the default stance on smart device security has been sub-standard with default passwords like 1234, or made to be easily guessable.
“It’s refreshing to see a move towards mandating stronger built-in security measures and a fundamental move that shifts some of the onus of security from consumers, who might not be cyber-savvy, back onto the manufacturers. Manufacturers will need to ensure their devices can’t just be hijacked by anyone with a list of default passwords, as we saw with the case of the Mirai botnet.
“The inclusion of requirements for manufacturers to provide clear contact details for reporting bugs and being transparent about the length of time devices will receive security updates is vital and will be valuable to consumers’ buying decisions.
“It’s a move that recognises the fact that cybersecurity is not just a technical issue, but a societal one. As we continue to surround ourselves with increasingly smart devices, making sure they are secure by design is not just good sense; it fosters a culture of cybersecurity that can protect individuals and society’s privacy and well-being.”
Darren Guccione, CEO and Co-Founder of Keeper Security: “There are a number of security risks associated with smart devices, but one of the most prevalent ones – which this law aims to stop – is weak authentication. Login credentials are a smart device’s first line of defence against hackers. If the passwords for smart devices and connected accounts aren’t strong, it means there’s a greater risk of being hacked and misused for malicious purposes. While most smart devices come with default passwords, some smart devices don’t require authentication at all, which presents a major security risk to the data being processed and the network it’s connected to.
“When smart devices do come with default passwords, it’s highly recommended to change them. Passwords should be changed to be strong and unique to prevent them from being hacked. A password generator can be used when creating your passwords to ensure they always follow password best practices, further enhancing security. A password manager can be used to securely store passwords that can be easily forgotten.
“Oftentimes, smart devices come with additional features and services that might not be necessary. If this is the case, disabling features that won’t be in use helps to reduce a device’s attack surface — thus lowering the chance of cyber threats.”
Richard Newton, Managing Consultant at Pentest People; “The enforcement of secure passwords on smart devices marks a positive step towards enhancing cybersecurity. However, a lot of technology is sourced from countries where this won’t be enforced and we will still find technology in the UK that will have weak passwords.
“The use of password managers is particularly fitting in this case – just as we advocate for unique, complex passwords with such tools, the banning of weak passwords on smart devices underscores the importance of robust security practices.
“Given the mass use of smart devices as primary gateways to the internet, making sure they are secure is critical. While manufacturers may still attempt to circumvent these regulations by using slightly stronger but still weak passwords, the overarching goal is to raise the baseline security standard.
“The encouragement of password managers reinforces the need for consumers to take proactive steps in safeguarding their online accounts. By using password managers, users can easily generate and manage strong, unique passwords for each service, avoiding the risk of widespread security breaches and minimising the potential impact of vulnerabilities in smart devices. The combination of regulatory enforcement and individual best practice represents a multifaceted approach towards enhancing cybersecurity in our everyday connected lives.”
Tim Mackey, head of software supply chain risk at the Synopsys Software Integrity Group; “With enforcement of the UK PSTI starting today, UK residents should expect to see cyber-physical products, such as IoT devices, adopting a more secure model for password usage and greater clarity on both security measures present in the product and the duration of product support. This would apply whether the device is manufactured in the UK, as well as devices that are imported into the UK market. Failure to comply with the UK PSTI and thus market a non-conforming product could result in fines of £10 million or 4% of worldwide revenue – whichever is greater. For device manufacturers who are already conforming to ETSI EN 303 645, since the UK PSTI directly references ETSI EN 303 645, enforcement of UK PSTI shouldn’t significantly impact software development.
“For those who might be concerned that they will now need to change their passwords on computers, the UK PSTI specifically excludes desktop, laptop, and tablet computers with only WiFi capabilities—unless the tablet was specifically designed for use by someone under the age of 14.”
Simon Newman, CEO of Cyber Resilience Centre for London & International Cyber Expo Advisory Council Member; “The new law is a positive step by the UK Government towards ensuring that the devices we buy do not leave us vulnerable to common cyber threats. With the number of smart-devices in our homes having increased significantly over the last few years, these new rules will force manufacturers to provide ongoing protection against cyber-attacks while giving consumers more information about the security of the products they are buying.”