Regulations covering internet-connected consumer devices are coming into effect, as part of the Product Security and Telecommunications Infrastructure (PSTI) regime. Manufacturers will be legally required to for example disallow easily guessable default passwords such as ‘admin’ or ‘12345’.
Such products may be smart TVs, voice assistant, smart watch or fitness wristband, or smart home alarms or video cameras; or Internet of Things (IoT) consumer devices such as fridges, toasters or coffee-making machines. Manufacturers will have to publish their contact details so that software ‘bugs’ and issues can be reported and dealt with; and manufacturers and retailers will have to say what minimum time device owners can expect to receive software security updates, for patching of vulnerabilities.
DSIT (Department for Science, Innovation and Technology) Minister for Cyber, Viscount Camrose said: “As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater. From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe. We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”
Comments
Richard Newton, Managing Consultant at the penetration testing consultancy Pentest People, commented that a lot of technology is sourced from countries where this won’t be enforced and we will still find technology in the UK that will have weak passwords. “The use of password managers is particularly fitting in this case – just as we advocate for unique, complex passwords with such tools, the banning of weak passwords on smart devices underscores the importance of robust security practices.
“Given the mass use of smart devices as primary gateways to the internet, making sure they are secure is critical. While manufacturers may still attempt to circumvent these regulations by using slightly stronger but still weak passwords, the overarching goal is to raise the baseline security standard.
“The encouragement of password managers reinforces the need for consumers to take proactive steps in safeguarding their online accounts. By using password managers, users can easily generate and manage strong, unique passwords for each service, avoiding the risk of widespread security breaches and minimising the potential impact of vulnerabilities in smart devices. The combination of regulatory enforcement and individual best practice represents a multifaceted approach towards enhancing cybersecurity in our everyday connected lives.”
Sylvain Cortes, VP Strategy at Hackuity said: “The requirements of the new PSTI Act in the UK are a welcome development in protecting consumers from the security risks of connected devices. These devices are part of our daily lives, but the fact is that many were designed with ease of use rather than security in mind, which provided an open door for cybercriminals to exploit. With the new regulations, consumer IoT devices will now have to have a vulnerability disclosure programme so that weaknesses can be properly dealt with.
“This is a more robust framework to ensure smart devices meet minimum-security standards and represents a significant step forward in ensuring the safety of the IoT ecosystem.”
Rick Jones, CEO of managed security provider DigitalXRAID, said: “Default and easy-to-guess passwords like “admin” and “12345” are a prime target for criminals and, while security training can advise on best practices for more secure passwords, a ban like this protects organisations against the simplest of password mistakes.
“As businesses increasingly rely on the Internet of Things (IoT) in day-to-day processes such as payment, communication, and manufacturing, anyone deploying this technology should be mindful of the risks. Weak IoT security offers criminals a useful backdoor to breach 5G networks or move laterally to internal servers. Simple security protocols such as changing default device passwords and regularly installing security patches can help ensure that your IoT network isn’t targeted.”
And Paul Inglis, GM EMEA at Ping Identity, described the banning of weak passwords as long overdue but welcome. “Passwords are an archaic tool which prove ineffective against today’s threat landscape. With more than 80 per cent of confirmed breaches related to stolen, weak, or reused passwords, without intervention, this was only likely to worsen thanks to AI and automation making it easier for cyber criminals to successfully attack.
“With passwords a constant risk and the newly announced laws, now is the time for UK businesses to implement passwordless authentication. Not only do passwordless solutions – such as passkeys – improve convenience and ease for users, but they also offer significantly increased security due to the lack of a crackable code, more efficient access thanks to biometrics, and reduced costs. Passwordless is, now more than ever, the logical path for the tech industry to travel.”
Szymon Krawczyk, Senior Detection and Response Analyst at the anti-phishing platform Expel, said it’s important to note that besides weak passwords, password re-use remains a significant risk. “Without significant changes to organisations’ internal password policies, reused and uncomplicated passwords contine to put users (and their employers) at risk. Addressing this issue is crucial for ensuring the long-term security of digital identities and protecting sensitive user data.
“Organisations need to start with password management at an individual level to bolster cyber resilience. This starts with encouraging the creation of strong passphrases for accounts that are not easily guessable, like “123456” or “password”. Password managers can automate this process, reducing the risk of weak or reused passwords.
“Additionally, organisations should deploy identity verification tools like multi-factor authentication (MFA) to add an extra layer of security, requiring users to verify their identity through multiple platforms, such as passwords and smartphone push notifications. It’s crucial to stay informed about evolving authentication technologies like FIDO2 and phish-resistant MFA methods to mitigate the risk of unauthorized access. To go a step further, users should also consider adopting Universal 2nd Factor (U2F), requiring a physical device to confirm identity to make unauthorized access much more difficult even if a password is compromised—significantly enhancing security.”
Iain Davidson, Senior Product Manager at Wireless Logic said that non-compliance isn’t just a paperwork issue – it can hit your bottom line hard. “The new rules give authorities the power to issue directives for fixes or recall notices for any devices sold after the deadline. And if a product doesn’t comply, the Office for Product Safety and Standards (OPSS) can prohibit distribution or sales until it does.
“While the Act primarily focuses on consumer products, specific B2B connected devices are also affected. This means all businesses along the supply chain, including device manufacturers, importers, distributors and solutions providers, must offer relevant guidance to their customers by Monday, 29th April. The organisation, as well as its products and services, must also be fully compliant. This involves setting unique passwords for devices, educating customers on how to report security issues and making information on security update periods transparent.
“This legislation aligns with the UK’s Code of Practice for Consumer IoT Security and the global standard ETSI EN 303 645, which sets the bar for consumer IoT. This suggests a smooth one, but some concerns have been raised around regards PSTI’s enforcement. It’s worth noting that these initial changes are just the beginning, and more legislative shifts are likely on the horizon. As such, organisations should remain proactive, ensuring they meet current requirements while also keeping an eye on sector-specific global standards or legislation. Taking a 360-degree approach to security is key as we navigate these evolving regulations.”
