The United Kingdom Government has announced a new technology security bill that includes important measures to prevent users from being hacked through their electronic devices, such as mobile phones, PCs or even toys and smart products for the home. The measures stand out, above all, for the prohibition on manufacturers of including default passwords that are easy to guess and the obligation to report security updates.
Specifically, the new bill for the security of products and infrastructure of telecommunications (PSTI, for its acronym in English) will force companies, manufacturers and distributors, to include unique passwords on their smart devices . This will prohibit the use of generic keys that are often found in a wide variety of products and are often easy to guess. The British government will also prevent manufacturers from including the ability to reset passwords to universal default values.
“There is no regulation to protect consumers from harm caused by cyber infractions, which can include fraud and theft of personal data.”
The Ministry of Digital, Culture, Media and Sports assures United Kingdom. The measure aims to prevent, therefore, that hackers can access the internal configuration of the device using a serial key, such as “admin”, “1234” or “password”. These, in fact, are widely used in home products, such as routers.
Banning default passwords is not the only measure
Another point of the new bill that goes beyond the prohibition of default passwords, is the obligation of manufacturers to inform about the time in which a product will receive security updates. The goal, according to the British government, is that customers can know when a device may become more vulnerable and thus make “better purchasing decisions.” Companies, on the other hand, must also report in case the equipment is not eligible to receive these types of updates.
Once the bill comes into effect, it will be assigned to a regulator whose role will be to require companies to comply with the ban on using default passwords or report on security patches. It can also force companies to withdraw their products from the market in case they infringe them. The regulator will also have the ability to fine up to 10 million pounds or 4% of its global income if they fail to comply with the regulations.
While these measures will come into effect soon in the UK, it is likely – and we hope – administrations in other countries will follow the same steps , such as banning default passwords. Above all, considering the rise of IoT devices for the home and the risk it can pose.
