New Law in U.K. Bans Default Passwords for Smart Devices Beginning April 2024

The U.K.’s National Cyber Security Centre (NCSC) is enforcing a new law, the Product Security and Telecommunications Infrastructure Act (PSTI), that compels smart device manufacturers to prioritize security. This legislation, taking effect on April 29, 2024, empowers consumers to make informed choices by ensuring smart devices are built with ongoing cyber protection.

A key requirement of the PSTI act is the elimination of easily guessed default passwords. These passwords, often readily available online, are a major security risk, allowing attackers to infiltrate devices and potentially launch further attacks. However, the law permits manufacturers to implement unique default passwords.

The PSTI act aims to establish a baseline security standard and prevent the creation of vulnerable devices susceptible to large-scale cyberattacks like the infamous Mirai botnet. This legislation applies to a wide range of internet-connected devices, including:

• Smart speakers, TVs, and streaming devices
• Smart doorbells, baby monitors, and security cameras
• Tablets, smartphones, and game consoles
• Wearable fitness trackers (including smartwatches)
• Smart home appliances (light bulbs, plugs, kettles, thermostats, ovens, refrigerators, cleaners, and washing machines)

Companies failing to comply with the PSTI act face potential product recalls and hefty fines. Penalties can reach up to £10 million ($12.5 million) or 4% of their global annual revenue, whichever is greater.

This move by the U.K. makes it the world’s first nation to outlaw default usernames and passwords for internet-of-things (IoT) devices. The importance of this legislation is underscored by the continued prevalence of Mirai-based attacks, despite the dismantling of the original botnet in 2016. According to a report by Cloudflare, a significant portion of distributed denial-of-service (DDoS) attacks still utilize Mirai variants.

The PSTI act comes on the heels of a recent U.S. Federal Communications Commission (FCC) decision imposing hefty fines on major telecom carriers (AT&T, Sprint, T-Mobile, and Verizon) for illegally sharing customers’ real-time location data with third parties without their consent. This highlights a growing global trend towards stricter regulations to protect consumer privacy and security in the digital age.

“No one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card,” stated U.S. Senator Ron Wyden who had disclosed the method in 2018.