Government bans ‘easy-toguess’ default passwords
Manufacturers have been banned from selling devices that have easy-toguess default passwords.
It means they’ll no longer be able to set up devices with generic passwords such as ‘admin’. Instead, all passwords that come with new devices will need to be “unique and not resettable to any universal factory setting”.
The ban comes as part of the Government’s Product Security and Telecommunications Infrastructure Bill (PSTI, www.snipca.com/40284), which aims to improve the security of devices other than computers that connect to the internet.
Products covered include phones, tablets, smart TVS, fitness trackers, smart speakers, thermostats and “other internet-connectable devices”.
The law also requires manufacturers to tell customers when they buy a device how long it will receive security fixes, and to warn customers about any changes to this. Nearly 80 per cent of firms don’t have such a system in place, the Government claims.
In addition, manufacturers must give a public point of contact for security researchers and others to report flaws they’ve discovered in products.
Ministers say that previously manufacturers weren’t doing enough to protect consumers from the growing threat of hackers targeting webconnected devices – often called the ‘Internet of Things’.
The Government says that on average there are nine web-connected devices in each UK household, and people “overwhelmingly assume these products are secure” despite only one in five manufacturers having “appropriate security measures in place”.
Research from Kaspersky showed that in the first half of 2021 there were 1.5 billion attempts worldwide to hack such devices, double the amount in 2020.
PCS and laptops are not part of the legislation because they are served “by a mature antivirus software market”, and operating systems already “include security features which means they are not subject to the same threats and risks”.