The UK becomes the first country in the world to ban easily guessable default passwords such as 'admin' and '12345' for IoT devices

IoT devices such as smart TVs and smart light bulbs make our daily lives more convenient by connecting our furniture and home appliances to the Internet, but they can also pose security risks. In the UK, amendments to the Product Security and Telecommunications Infrastructure Act (PSTI Act) will come into effect on Monday, April 29, 2024, making it the first country in the world to prohibit 'weak, easily guessable default passwords for IoT devices.'

New laws to protect consumers from cyber criminals come into force in the UK - GOV.UK

UK becomes first country to ban default bad passwords on IoT devices

The UK beefs up smart home security by going after bad default passwords - The Verge

Many people have thought about the security of their PCs and smartphones, but not many have thought about the security of IoT devices such as smart TVs and smart light bulbs. However, because IoT devices are connected to the Internet or local wired networks, they are at risk if compromised by malicious attackers.

In 2016, a malware called ' Mirai ' emerged that remotely controlled computers running Linux, and used IoT devices such as webcams around the world as a botnet to launch distributed denial of service (DDoS) attacks . The IoT devices that were exploited had easy-to-guess default passwords such as 'admin' and '12345,' highlighting the importance of security for IoT devices.

An unprecedented DDoS attack of 1 terabit per second occurred, and the source of the attack was 145,000 hacked webcams - GIGAZINE

The name 'Mirai' is said to be derived from the popular manga ' Mirai Nikki ,' and the perpetrators who created and released Mirai were still in their teens at the time of the crime. The perpetrators were given probation instead of prison because they assisted the FBI in their investigation .

Amid growing security concerns over IoT devices, the UK government has announced proposals to amend PSTI laws to ban weak default passwords for IoT devices.

The UK government has proposed a bill to ban default passwords such as 'password' and 'admin' - GIGAZINE

On April 29, 2024, the proposed amendments to the PSTI Act came into force, prohibiting the setting of guessable default passwords for IoT devices in the UK. This requires companies to set unique default passwords for IoT devices they sell or allow owners to set passwords. Manufacturers must also provide a system that allows IoT device users to easily report security issues and allows reporters to check the status of the issue and the scheduled status updates.

Companies that breach PSTI legislation could be subject to fines of up to £10 million or 4% of their 'qualifying worldwide revenues', whichever is greater.

In the United States, a new certification program called 'US Cyber Trust Mark' will certify IoT devices that meet security requirements such as strong default passwords. However, since the US Cyber Trust Mark does not have any enforcement power against companies, it is unclear how effective it will be, according to The Verge, an overseas media outlet.

Biden Administration Announces New Security Standard Compliance Label 'US Cyber Trust Mark' for IoT Devices - GIGAZINE

◆ Forum is currently open
A forum related to this article has been set up on the official GIGAZINE Discord server . Anyone can post freely, so please feel free to comment! If you do not have a Discord account, please refer to the account creation procedure explanation article to create an account!

• Discord | 'Would you like to see legal restrictions on 'too simple default passwords' implemented in Japan? Or would you like them to stop?' | GIGAZINE

in Hardware,   Security, Posted by log1h_ik