The UK is doing away with bad default passwords. With updates to the country’s Product Security and Telecommunications Infrastructure Act (PSTI) that came into force today, regulators say that tech gadgets that can connect to the internet or a local wired network must either have a unique default password or be definable by the person who owns it.
Under the update, manufacturers will have to make it easy for people to report security issues. The PSTI also now requires them to give clear expectations for when those filing the reports can expect acknowledgment and status updates afterward. Violations of the law can result in fines as high as £10 million (about $12.5 million USD) or 4 percent of their “qualifying worldwide revenue,” depending on which is higher.
Related
The law would apply to a wide range of products, but a big target here is likely IoT devices like smart TVs, smart plugs, or smart speakers. Many of these, particularly the cheapest commodified ones, end up as targets online, thanks to lax security practices, that made them part of devastating attacks like the Mirai-based botnet DDoS seen years ago. This doesn’t necessarily address all of those practices, but bad default passwords are low-hanging fruit that should be tackled.
In the US, the FCC is trying something similar with its forthcoming Cyber Trust Mark program. Much like the federal Energy Star program, the Cyber Trust Mark logo indicates which products comply with the program’s requirements, including strong default passwords.
But also like Energy Star, nobody is forcing companies to go along with it. And while Energy Star has clear, explainable benefits like lower utility bills, it’s a little harder to make it clear that a smart bulb connected to your router can be a security risk for your other devices, so it’s hard to know how effective it will be when it goes into effect.