UK becomes first country to ban default bad passwords on IoT devices
Seven years ago, a cyberattack left many of the most popular websites based in the United States inaccessible. For three extended periods on October 21, 2016, internet users were left without their doses of Twitter, CNN and Netflix among other popular sites.
Naturally there was speculation about the powerful threat actors who could have caused such a disruption. But the incident was not conducted by a hostile state. It turned out to be extremely unsophisticated, just a distributed-denial-of-service attack targeting Dyn, a company which provided Domain Name System (DNS) services — a critical part of the internet’s communications structure.
While the attack was unsophisticated, it was large. The volume of traffic sent to Dyn’s servers was generated by a botnet of internet-connected consumer devices from wireless cameras through to WiFi routers. The botnet, named Mirai after a Japanese cartoon, had been developed by a trio of U.S. citizens barely out of their teens, all of whom were soon arrested.
While they pleaded guilty just over a year later, their invention raised the specter of something much more long-lasting — the specter of just how much harm could be caused by sloppy security practices among Internet of Things (IoT) producers, particularly the widespread use of default usernames and passwords that allowed the Mirai botnet to automatically infect them and spread itself to around 300,000 devices, all of which could be ordered to target anything else connected to the internet.
On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted.
The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.
Manufacturing and design practices mean many IoT products introduce additional risks to the home and business networks they’re connected to. In one often-cited case described by cybersecurity company Darktrace, hackers were allegedly able to steal data from a casino’s otherwise well-protected computer network after breaking in through an internet-connected temperature sensor in a fish tank.
Under the PSTI, weak or easily guessable default passwords such as “admin” or “12345” are explicitly banned, and manufacturers are also required to publish contact details so users can report bugs.
Products that fail to comply with the rules could face being recalled, and the companies responsible could face a maximum fine of £10 million ($12.53 million) or 4% of their global revenue, whichever is higher.
The law will be regulated by the Office for Product Safety and Standards (OPSS), which is part of the Department for Business and Trade rather than an independent body.
Rocio Concha, the director of policy and advocacy at consumer-rights organization Which? said: “The OPSS must provide industry with clear guidance and be prepared to take strong enforcement action against manufacturers if they flout the law, but we also expect smart device brands to do right by their customers from day one and ensure shoppers can easily find information on how long their devices will be supported and make informed purchases.”
Viscount Camrose, one of the British legislature’s hereditary peers, who was appointed minister for cyber by the government, said: “As every-day life becomes increasingly dependent on connected devices, the threats generated by the internet multiply and become even greater.
“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe,” he said.
Similar laws are being advanced elsewhere, although none have entered into effect. The European Union’s Cyber Resilience Act is yet to be finally agreed, but its similar provisions aren’t expected to apply within the bloc until 2027.
There is no federal law about securing consumer IoT devices in the United States, although the IoT Cybersecurity Improvement Act of 2020 requires the National Institute of Standards and Technology “to develop and publish standards and guidelines for the federal government” on how they use IoT devices.
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.