The UK government has introduced the Product Security and Telecommunications Infrastructure (PSTI) Bill, a set of new rules to improve the security of smart home devices. Under regulations, easy-to-guess default passwords will be prohibited, as will the publication of security update release dates and other information, all of which will be subject to stiff penalties.
The new restrictions were first suggested last year after extensive deliberation and remain largely unaltered. The first is a prohibition on easy-to-guess default passwords, such as “admin” and “password.” According to the law, all passwords with new devices must be unique and cannot be reset to any universal factory setting.
Second, manufacturers must inform consumers about the minimum time necessary for security patches and upgrades at the point of sale and keep them informed. If the product does not include them, this must be stated. Lastly, manufacturers should provide a public point of contact for security experts to disclose defects and bugs quickly.
According to the authorities, 1.5 billion attempted breaches of Internet of Things (IoT) devices were made in the first half of 2020. It referenced a 2017 attack in which hackers used an internet-connected fish tank to steal data from a casino. It went on to say that in extreme circumstances, hostile organizations have used weak security features to get access to people’s cameras.
Once the bill is passed, a regulator will be chosen to supervise the regulations. Fines may reach £10 million ($13.3 million), or 4% of a company’s annual income, with up to £20,000 per day assessed for repeat offenses. The law is applicable to producers and companies that import technology into the United Kingdom. Smartphones, security cameras, routers, home speakers, game consoles, and internet-enabled appliances & toys are among the included products.
