The United Kingdom has introduced the Product Security and Telecommunications Infrastructure (PSTI) Act, which is a set of new regulations designed to improve the safety of smart home devices. The government AnnounceThese rules will prohibit easy-to-guess default passwords, require disclosure of security update release dates, etc.—and impose hefty fines.
The new rules were initially Proposed last yearAfter a long period of negotiation, there is basically no change. The first is to prohibit default passwords that are easy to guess, including classic passwords such as “password” and “administrator”. According to the law, all passwords attached to new devices will “must be unique and cannot be reset to any common factory settings”.
“Most of us believe that if the product is sold, it is safe and reliable. But many people are not, which puts too many of us at risk of fraud and theft,” said British Minister Julia Lopez. “Our bill will set up firewalls for everyday technology from telephones and thermostats to dishwashers, baby monitors and doorbells, and impose huge fines on those who violate strict new safety standards.”
Next, the manufacturer must tell customers at the point of sale and let them know the minimum time requirements for security patches and updates. If the product is not included, that fact must be disclosed. Finally, manufacturers must provide a public point of contact for security researchers so that they can easily disclose defects and vulnerabilities.
The government wants to reduce attacks on home devices, with 1.5 billion attempts to hack into Internet of Things (IoT) devices in the first half of 2020 alone. For example, it cited an attack in 2017 in which hackers stole data from casinos by attacking fish tanks connected to the Internet. It added, “In extreme cases, hostile groups use poor security features to access people’s webcams.”
These rules will be overseen by a regulatory agency, which will be appointed after the bill enters into force. The fine can be as high as £10 million (US$13.3 million) or 4% of the company’s total revenue-up to £20,000 per day for continued violations. The law applies not only to manufacturers, but also to companies importing technology products into the UK. Products include smart phones, routers, security cameras, game consoles and home speakers, as well as Internet-enabled appliances and toys.
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you purchase goods through one of these links, we may receive affiliate commissions.