What you need to know
- A new law in the UK will prevent the sale of devices with poor security standards.
- The goal is to protect smartphones, TVs, speakers, digital toys and other devices from hackers.
- Failure to comply could result in fines of up to £10 million, or up to 4% of global revenue.
The UK goverment has introduced a new bill that will require manufacturers and distributors of technology products to ensure their devices meet the minimum security standards, with hefty fines if they fail to comply.
Device manufacturers will be prohibited under the Product Security and Telecommunications Infrastructure Bill (PSTI) from selling mobile devices, televisions, speakers, toys, and other digital devices that do not meet the law's security requirements. These include the use of easy-to-guess default passwords in connected products, such as many of the best smart speakers.
All passwords that come preloaded with new devices must be unique "and not resettable to any universal factory setting." The bill seeks to prohibit the use of simple default passwords such as "admin" or "password" that ship with devices, as these are commonly targeted by hackers.
The new legislation will also require companies to disclose the release dates of security updates for their products and to set up an easy public reporting system so that researchers can quickly report vulnerabilities found in those devices. Manufacturers must also inform customers at the point of sale when security flaws in connected devices will be fixed.
The government cited 1.5 billion attempted attacks on IoT devices in the first half of 2020 alone. With the new law, the hope is to reduce the attack surface for hackers.
If their products do not comply with the new rules, device manufacturers could face fines of up to £10 million or 4% of their global revenue. Once the bill is passed, a regulatory body will be formed to oversee the implementation of the new rules.