New UK regulation will levy large fines on smart home device manufacturers who use default passwords Leave a comment

The UK government announced the introduction of the Product Security and Telecommunications Infrastructure (PSTI) Bill, a set of new rules aimed at improving the security of smart home devices. The guidelines would prohibit easy-to-guess default passwords and will compel the publication of security update release dates, among other things, under pain of substantial fines.

The new restrictions were first proposed last year after a lengthy comment period, and they remain virtually unchanged. The first is a prohibition on easy-to-guess default passwords, such as “password” and “admin,” and all passwords that arrive with new devices will “need to be unique and not resettable to any universal factory configuration,” according to the law.

The government is hoping to curtail attacks on household devices, citing 1.5 billion attempted compromises of Internet of Things (IoT) devices in the first half of 2020 alone. As examples, it cited a 2017 attack in which hackers stole data from a casino by attacking an internet-connected fish tank. It added that “in extreme cases, hostile groups have taken advantage of poor security features to access people’s webcams.”

The rules will be overseen by a regulator that will be appointed once the bill comes into law. Fines could hit up to £10 million ($13.3 million) or 4 percent of a company’s gross revenue — with up to £20,000 a day levied for ongoing infractions