Advertisement

New UK law will hit smart home device makers with big fines for using default passwords

Default passwords for internet of things devices will be banned.

Gov.UK

The UK has introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill, a suite of new regulations designed to improve security on smart home devices, the government announced. The rules will ban easy-to-guess default passwords, require disclosure of security update release dates and more — under penalty of hefty fines.

The new rules were originally proposed last year, following a long period of consultation, and are largely unchanged. The first one is a ban on easy-to-guess default passwords, including classics like "password" and "admin." All passwords that come with new devices will "need to be unique and not resettable to any universal factory setting," the law states.

"Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft," said UK Minister Julia Lopez. "Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards."

ADVERTISEMENT

Next, manufacturers must tell customers at the point of sale and keep them updated about the minimum time requirement for security patches and updates. If the product doesn't come with them, that fact must be disclosed. Finally, manufacturers must provide a public point of contact for security researchers to they can easily disclose flaws and bugs.

The government is hoping to curtail attacks on household devices, citing 1.5 billion attempted compromises of Internet of Things (IoT) devices in the first half of 2020 alone. As examples, it cited a 2017 attack in which hackers stole data from a casino by attacking an internet-connected fish tank. It added that "in extreme cases, hostile groups have taken advantage of poor security features to access people's webcams."

The rules will be overseen by a regulator that will be appointed once the bill comes into law. Fines could hit up to £10 million ($13.3 million) or 4 percent of a company's gross revenue — with up to £20,000 a day levied for ongoing infractions. The law applies not only to manufacturers, but also businesses that import tech products into the UK. Products include smartphones, routers, security cameras, games consoles and home speakers, along with internet-enabled appliances and toys.