Gadgets that ship with weak passwords out-of-the-box like "12345" and "admin" will be outlawed under world-first legislation enforced by the UK Government from today (Monday April 29, 2024). The tough new law is designed to shield Britons from hackers and cyber criminals by introducing minimum security standards.
UK households now own an average of nine connected devices — a dizzying number of Internet of Things (IoT) devices that could offer a weak spot that allows hackers to infiltrate your Wi-Fi network.
UK households own an average of 9 internet-connected gadgets, like the popular Hive thermostat (pictured) that lets users change the temperature from anywhere using their phone
HIVE PRESS OFFICE
Manufacturers of smartphones, tablets, smart TVs, video doorbells, smart speakers, Wi-Fi-enabled thermostats, and dozens of other popular devices will now be legally required to protect all internet-connected devices against access by cyber criminals, the Department for Science, Innovation and Technology said.
That means easily guessable default passwords, like “admin” or “12345” will be banned, with users prompted to change any common passwords. The law also requires manufacturers to publish contact details, so bugs and glitches can be reported.
Companies will need to be transparent about the timing of incoming security updates, so users know exactly when to expect critical fixes and patches for known issues.
The law is designed to prevent threats like the damaging Mirai attack, which took place in 2016 and saw 300,000 smart products compromised due to weak security features and used to attack major internet platforms and services, leaving much of the US East Coast without internet.
Similar attacks have occurred on UK banks including Lloyds and RBS leading to disruption to customers.
It is hoped the new law will help give British customers confidence when buying and using internet-connected gadgets.
The latest statistics show that 57% of UK households now own a smart TV, 53% own a voice assistant like Alexa or Google Assistant found in smart speakers or digital photo frames, and 49% wear a smartwatch or fitness wristband.
An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.
Speaking about the incoming changes, Science and Technology Minister Viscount Camrose said: “As everyday life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater.
"From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world-first laws that will make sure their personal privacy, data and finances are safe. We are committed to making the UK the safest place in the world to be online and these new regulations mark a significant leap towards a more secure digital world.”
The laws are taking effect as part of the product security and telecommunications infrastructure (PSTI) regime, which aims to strengthen the UK’s resilience from cyber crime.
LATEST DEVELOPMENTS
Which? Director of Policy and Advocacy, Rocio Concha said: "Which? has been instrumental in pushing for these new laws which will give consumers using smart products vital protections against cyber criminals looking to launch hacking attacks and steal their personal information.
"The OPSS [Office for Product Safety and Standards] must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.
