The act aims to enforce better passwords and clearer details about reporting and updates.
Connectable products that have a default password of “12345” are going to have to scramble the numbers a bit.
A UK law, effective April 29, aims to address security weaknesses in internet-connected products by enforcing strong default passwords, clear reporting structures for security issues, and transparent info on minimum update periods.
“The law, known as the Product Security and Telecommunications Infrastructure (PSTI) Act, will help consumers to choose smart devices that have been designed to provide ongoing protection against cyberattacks,” the UK’s National Cyber Security Centre’s citizen resilience officer wrote in a blog post on the same day the legislation took effect.
The act applies to makers, distributors, and marketers of “relevant consumer products that can connect to the internet or a network,” according to a UK government website. The NCSC provided examples like smart speakers and TVs, wearable fitness trackers, and connected appliances like thermostats and that fridge you can see inside of from your phone. (The connected, data-exchanging devices are sometimes referred to as “internet of things,” or IoT.)
The UK directive covers three categories.
- Passwords. “Passwords must be unique per product; or capable of being defined by the user of the product.”
- Security reporting. Manufacturers must provide accessible, clear information about how to report security issues with a product, and communicate the estimated time for a response.
- Minimum update periods. “Smart” device makers must include “clear, accessible, and transparent” details regarding the “the minimum length of time security updates will be provided along with an end date.”
The Office for Product Safety and Standards (OPSS) will act as enforcer and regulator for the products.
IoT’s getting better all the time. The UK legislation follows recent US efforts to enhance security requirements for connected devices. On March 15, the Federal Communications Commission (FCC) unanimously approved a voluntary labeling program adding Cyber Trust Marks to devices meeting required security standards. The Connectivity Standards Alliance announced an Internet of Things Device Security Specification 1.0 and certification on March 19.
Counterpoint: No, it’s not. A Zscaler report found that IoT malware attacks increased by 400% between January–June 2022 and the same period in 2023.