UK Becomes First Country to Ban IoT Devices with Default Passwords

The UK has become the first country in the world to forbid the sale of IoT devices that ship with default passwords by enacting legislation in this regard starting on April 29, 2024.

Default credentials are a huge security problem with IoT devices as numerous manufacturers leave the task of setting better passwords in the hands of their customers. Unfortunately, many devices are plugged in and quickly set up, never to be touched again until they stop working.

Using default passwords is a long-standing “tradition,” but it’s been changing slowly over the years. The new UK law, known as the Product Security and Telecommunications Infrastructure act (PSTI), will force vendors and manufacturers to adopt a new standard that should have been available for many years.

The new law has several requirements that cover pretty much all IoT devices and other situations that might arise. The main part of the law is straightforward, according to the announcement by The UK National Cyber Security Centre (NCSC).

“The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared. If the default password is used, a criminal could log into a smart device and use it to access a local network, or conduct cyber attacks,” reads the announcement.

Interestingly, the law also covers a crucial aspect: manufacturers must have a point of contact for reporting security issues. Moreover, IoT makers must specify the minimum length of time for which the device will receive security updates. This latest part would make it easier for consumers to know when it’s time to replace an old device.

Of course, PSTI will also work for imported goods, which is a critical distinction to make.

“Most smart devices are manufactured outside the U.K., but the PSTI act also applies to all organisations importing or retailing products for the U.K. market. Failure to comply with the act is a criminal offence, with fines up to £10 million or 4% of qualifying worldwide revenue (whichever is higher),” NCSC also mentions.

The covered IoT devices include:

smart speakers, smart TVs and streaming devices
smart doorbells, baby monitors and security cameras
· cellular tablets, smartphones and games consoles
· wearable fitness trackers (including smart watches)
· smart domestic appliances (such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners and washing machines)