The UK Government has announced a new technology security bill that includes important measures to prevent users from being hacked through their electronic devices, such as mobile phones, PCs or even toys and smart home products. The measures stand out, above all, for the ban on manufacturers to include default passwords easy to guess and required to report security updates.
Specifically, the new bill for the security of products and infrastructure of telecommunications (PSTI, for its acronym in English) will oblige companies, manufacturers and distributors, to include unique passwords on your smart devices. This will prohibit the use of generic keys that are usually present in a wide variety of products and that are often easy to guess. The British government will also prevent manufacturers from including the ability to reset passwords to universal default values.
“There is no regulation to protect consumers from harm caused by cyber breaches, which can include fraud and theft of personal data.”
Ensures the UK Ministry of Digital, Culture, Media and Sports.
The measure is therefore intended to prevent hackers from access the device’s internal settings using a serial key such as “admin”, “1234” or “password”. These, in fact, are widely used in home products, such as routers.
Banning default passwords is not the only measure
Another point of the new bill that goes beyond the prohibition of default passwords, is the obligation of manufacturers to report on the time a product will receive security updates. The goal, according to the British government, is that customers can know when a device may become more vulnerable and thus make “better purchasing decisions.” Companies, on the other hand, must also inform in case the equipment is not eligible to receive this type of updates.
Once the bill takes effect, it will be assigned to a regulator whose role will be to require companies to comply with the ban on using default passwords or reporting security patches. It can also force companies to withdraw their products from the market in case they infringe them. The regulator will also have the ability to fine with up to £ 10 million or 4% of your global revenue if you break the regulations.
While these measures will come into effect in the UK shortly, it is likely – and we hope – that the administrations of other countries follow the same steps, such as banning default passwords. Above all, considering the rise of IoT devices for the home and the risk it may pose.