A ban on weak and easily guessable default passwords is among the rules that came into force last week, after new laws were introduced forcing manufacturers to beef up the security of their internet-enabled products.

Manufacturers of devices with internet or network connectivity are now legally required to protect consumers from hackers and cybercriminals, following the introduction of new rules that require all internet-connected smart devices to meet minimum security standards.

Under the new regime, manufacturers of smart devices – anything from smartphones and games consoles to smart doorbells and connected fridges – are banned from having weak, default passwords like ‘admin’ or ‘12345’. If there is a common password, the user will be prompted to change it on start-up. 

It is hoped this will help prevent threats like the Mirai attack in 2016, which led to 300,000 smart products being compromised due to weak security features and subsequently used to attack major internet platforms and services. The attack left much of the US East Coast without the internet. 

Since then, similar attacks have occurred on UK banks including Lloyds and RBS, leading to disruption to customers. An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.

The new laws are part of the Product Security and Telecommunications Infrastructure (PSTI) regime, which aims to improve the UK’s resilience from cyber attacks and ensure malign interference does not impact the wider UK and global economy.

Casino fish tank hack

A government factsheet on the PSTI regime cites a 2018 example whereby attackers were able to compromise a connected thermometer in a fish tank that had a default password. The fish tank was in the lobby of a US casino, and attackers used this vulnerability to enter the network and access sensitive details including bank details.

Other improved security protections introduced this week include the requirement for manufacturers to publish contact details so bugs and issues can be reported and dealt with. Manufacturers and retailers must also be open with consumers on the minimum time they can expect to receive important security updates.

Minister for Cyber, Viscount Camrose, says the growing prevalence of smart tech means new protections are needed to give consumers peace of mind: “As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater. 

“We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”

The new laws come against a backdrop of growing use of smart devices by UK consumers. Recent figures show that 99% of UK adults own at least one smart device and UK households own an average of nine connected devices. The government hopes the new regime will help give customers confidence in buying and using products, which will in turn help grow businesses and the economy.

Public protection

Sarah Lyons, Deputy Director for Economy and Society at the National Cyber Security Centre (NCSC), says: “Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber attacks. This landmark Act will help consumers to make informed decisions about the security of products they buy.

“I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new PSTI regulation affects them and how smart devices can be used securely.” 

Ian Pay, ICAEW’s Head of Data Analytics and Tech, says any business involved in the manufacture, import, distribution or sale of internet or network-connected devices needs to take action to ensure it complies or risk falling foul of the law. “The scope of devices covered by the legislation is broad and we would encourage our members to reflect on how it might impact them and their organisations,” Pay says.

However, just because default passwords are now banned, that doesn’t mean devices are automatically more secure and usual best practices around complex passwords and multi-factor authentication still apply. “Given the lifespan of many smart devices and the difficulty in updating them – particularly those in the home – it is likely to take many years before all devices in homes and businesses meet the legislative requirements,” Pay adds.

Jim Gee, Cybercrime and Fraud Specialist and former head of Forensic Services at Crowe UK, says: “The launch of the PSTI regime marks a good step forward towards preventing one aspect of cybercrime. It should help to safeguard UK consumers and businesses from some of the more basic cyber threats. Generally and relative to other countries, the UK does quite well – especially the NCSC – but an awful lot more still needs to be done.”