UK lays down fresh legislation banning crummy default device passwords

Smart device manufacturers will have to play by new rules in the UK as of today, with laws coming into force to make it more difficult for cybercriminals to break into hardware such as phones and tablets.

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI Act) aims to enforce minimum security standards by which all device manufacturers must abide.

Of the three main requirements all smart devices must adhere to, shipping devices with easily crackable default passwords is arguably the headliner. Default passwords are allowed, but if they're easily discoverable online, then it will fall foul of the Act. 

It has been coming for a while. We started reporting on the proposed PSTI Act back in 2021 and even at the bill's first inception, it primarily aimed to stamp out these what's-even-the-point passwords.

It's almost certainly a good idea – especially when we have cheap overseas kit coming in allowing pretty much anyone to break into devices like child trackers with passwords such as "12345."

Professor Alan Woodward, a computer scientist at the University of Surrey in England who specializes in security, told The Register: "I think it's a great first step. Certainly better than the vacuum that we had previously. It focuses on the basics, and one might think that's a missed opportunity, but the vast majority of successful attacks are still simple hygiene factors such as weak passwords.

"As with all these things it could go further, and it would be nice to think this is a first step rather than a completed journey."

The newly instated PSTI Act also compels manufacturers to provide a point of contact for individuals reporting security concerns, and they must also make clear the minimum period for which the device will receive security updates.

There are no specific rules that stipulate what that minimum length of time should be, but whatever the product's lifespan is, it must be clearly communicated to customers.

The PSTI Act applies to any consumer smart device that either connects directly to the internet or to a home network. Such devices include:

• Entertainment devices: Smart TV, streaming devices, smart speakers, games consoles, smartphones, and tablets with cellular connectivity

• Home surveillance: Video doorbells, home security cameras, and baby monitors

• Home appliances: Light bulbs, plugs, ovens, fridges, washing machines, thermostats, kettles

• Wearables such as fitness trackers and smart watches

To coincide with the PSTI Act's introduction, the UK's National Cyber Security Centre (NCSC) issued a leaflet [PDF] for people who want to bolster their device's security, complete with its longstanding guidance to create passwords using three random words.

While the legislation has been welcomed widely as an important and necessary first step, experts have highlighted some key concerns. Tim Callan, chief experience officer at Sectigo, said the laws don't go far enough and lag behind the recommended standards in Europe.

"UK IoT security laws will only require devices to meet three out of 13 standards from the European Telecommunications Standards Institute (ETSI)," said Callan. 

"That still leaves a major gap in our defenses for hackers to infiltrate our smart devices. If the UK wants to get truly serious about securing our devices, they must push businesses to do more." 

The Office for Product Safety and Standards (OPSS) has been tasked with enforcing the new rules on vendors, which makes a lot of sense given that it was already responsible for the UK's existing product safety regulations.

Others, however, remain skeptical about how hard the UK government will come down on offending vendors. Not complying with the PSTI Act is a criminal offense for domestic and overseas manufacturers, with the official punishment being a £10 million ($12.5 million) fine or 4 percent of qualifying worldwide revenue (whichever is higher).

• 185K people's sensitive data in the pits after ransomware raid on Cherry Health
• Roku makes 2FA mandatory for all after nearly 600K accounts pwned
• D-Link issues rip and replace order for besieged NAS drives
• Vans claims cyber crooks didn't run off with its customers' financial info

Woodward said: "My big concern is whether or not the government will enforce it. The new law has the ability to fine vendors significant amounts, and that makes commercial operations take note. However, only if they know it's a real threat. Time will tell but I really hope the government uses the power of this law to crack down on poor practice, particularly from vendors where they build to a price point and security is an afterthought. 

"It's noteworthy that it has taken a long time to get to this point. Many in the sector have been advocating strongly for such measures for years, so part of me thinks it's about time." ®