The United Kingdom has introduced the PSTI (Product Security and Telecommunications Infrastructure) Act, a series of new rules designed to improve the security of smart home devices, the government announced. The rules will ban standard passwords that are easy to guess, require the publication of security update release dates and more – under fines for large fines.
The new rules were originally proposed last year after a lengthy consultation period and are largely unchanged. The first is a ban on standard passwords that are easy to guess, including classics like “password” and “admin”. All passwords that come with new devices must “be unique and cannot be reset to any universal factory setting,” the law states.
“Most of us assume that if a product is for sale, it is safe and secure. Yet many are not, which puts far too many of us at risk of fraud and theft,” said British Minister Julia Lopez. “Our bill will put a firewall around everyday technology from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who like new strict safety standards.”
Next, manufacturers must tell customers at the point of sale and keep them updated on the minimum time requirement for security patches and updates. If the product is not included, it must be stated. Finally, manufacturers need to make a public contact point available to security researchers so that they can easily detect flaws and errors.
The government hopes to limit attacks on household devices, citing 1.5 billion attempts to compromise Internet of Things (IoT) devices alone in the first half of 2020. As an example, it cited an attack in 2017 in which hackers stole data from a casino to attack an Internet-connected aquarium. It added that “in extreme cases, hostile groups have taken advantage of poor security features to gain access to people’s webcams.”
The rules will be monitored by a supervisory authority that will be appointed when the bill enters into force. Fines can hit up to £ 10 million ($ 13.3 million) or 4 per cent of a company’s gross revenue – up to £ 20,000 a day for ongoing infringements. The law applies not only to manufacturers but also to companies importing technological products to the UK. Products include smartphones, routers, security cameras, game consoles and home speakers, along with Internet-enabled devices and toys.
All products recommended by Engadget are selected by our editorial staff, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we can earn an affiliate commission.