U.K. Moves to Prohibit Bad Default Passwords on IoT Devices

Why Trust Techopedia
Key Takeaways

  • The U.K. is the first nation to introduce new minimum standards policy on passwords for IoT devices.
  • Weak terms and common phrases will be prohibited.
  • anufacturers will have to be open with consumers on how and when they can expect to receive important security updates.

The U.K. has introduced a policy to prevent bad default passwords being used with an update to the Product Security and Telecommunications Infrastructure Act (PSTI). 

As of today (April 29th), the new regulations will insist IoT devices connected to the internet or a wired local network must be secured using either a unique default password or one definable by the person who is the primary user. 

The world-first legislation aims to protect consumers from hacking and cyberattacks, compelling manufacturers of items such as smartphones, TVs, and connected doorbells to meet minimum security standards. Default passwords using terms such as “admin,” “pass” or “12345” will no longer be allowed. If a weak or common password is detected, the user will be prompted to change it at the device setup stage. 

As part of the new policy, manufacturers must publish contact details to make it easy for users to report bugs or any other issues.

Any products which don’t meet PSTI standards could be recalled, and the responsible companies could face a maximum fine of either £10 million ($12.53 million) or 4% of their global revenue total, whichever is higher.

The UK government will directly oversee the implementation of the new law through its Department for Business and Trade. One of its departments, the Office for Product Safety and Standards (OPSS) will be directly responsible instead of an external, independent entity.

An investigation by a UK consumer rights body has indicated a modern home fitted with several smart devices could be subjected to more than 12,000 hacking efforts globally within seven days, with findings of 2,684 attempts to compromise weak default passwords on just five devices. 

In the U.S., the FCC is attempting to establish a similar protocol with the Cyber Trust Mark program. The logo denotes which companies are complying with the requirements. 

However, no authority is enforcing the requirements or making companies enact changes.