UK to ban universal default passwords
The UK government seeks to ban universal default passwords, force companies to be more transparent about fixing security flaws, and introduce heavy fines for those who fail to comply.
The Product Security and Telecommunications Infrastructure Bill, introduced to the UK Parliament, is drafted to better protect consumers from attacks by malicious hackers on their phones, tablets, smart TVs, fitness trackers, and other internet of things (IoT) devices.
“Everyday hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft. Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards,” Minister for Media, Data and Digital Infrastructure Julia Lopez is quoted in a press release.
The Bill applies to products that can access the internet, for example, game consoles, security cameras, alarm systems, baby monitors, and many others. The government intends to exempt products, such as vehicles, smart meters, electric vehicle charging points, and medical devices, as they would become subject to double regulation, which would not lead to increased security. Desktop and laptop computers are also not in scope as they are “served by a mature antivirus software market, unlike smart speakers and other emerging consumer tech.”
A new law will require manufacturers, importers, and distributors to meet new cybersecurity standards. It will allow the government to ban universal default passwords, force companies to be more transparent with consumers about vulnerabilities and patches, and create a better public reporting system for flaws discovered in different products.
According to the press release, on average, there are nine connected tech products in every household. Consumers wrongfully assume they are safe, when in fact, recent research by Which? found that a home filled with smart devices could be exposed to more than 12,000 hacking or unknown scanning attacks from across the world in a single week.
Here’s what the new law proposes:
- A ban on easy-to-guess default passports that come preloaded on devices - such as ‘password’ or ‘admin’ - which are a target for hackers. All passwords that come with new devices will need to be unique and not resettable to any universal factory setting.
- A requirement for connectable product manufacturers to tell customers at the point of sale and keep them updated about the minimum amount of time a product will receive vital security updates and patches. If a product does not come with security updates, that must be disclosed. This will increase people’s awareness about when the products they buy could become vulnerable so they can make better-informed purchasing decisions. Nearly 80% of these firms do not have any such system in place.
- New rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products.
Companies that will not abide by the law could face a fine of up to £10 million or 4%t of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.
The new law will apply to manufacturers, physical shops, and online retailers, who will be forbidden from selling products to UK customers unless they meet the security requirements and will be required to pass important information about security updates on to customers.
More from CyberNews:
Subscribe to our newsletter