UK Bill Bans Default Passwords; Fines Manufacturers, Integrators Up to £10M

Product Security and Telecommunications Infrastructure Bill (PSTI) can fine smart home manufacturers and resellers up to £20,000 per day

 •

A newly proposed law in the United Kingdom will require smart home equipment manufacturers and potentially even integrators to meet tough new cybersecurity standards with the threat of heavy fines for those who fail to comply. The Product Security and Telecommunications Infrastructure Bill (PSTI), introduced to Parliament, will allow the government to ban universal default passwords, and force firms to be transparent to customers about what they are doing to fix security flaws in connectable products. The bill targets any company that makes or resells smart home gear. Violators can face fines up to £20,000 per day, or up to £10 million in total.

According to the Minister for Media, Data and Digital Infrastructure, Julia Lopez, “Every day hackers attempt to break into people’s smart devices. Most of us assume if a product is for sale, it’s safe and secure. Yet many are not, putting too many of us at risk of fraud and theft. Our Bill will put a firewall around everyday tech from phones and thermostats to dishwashers, baby monitors and doorbells, and see huge fines for those who fall foul of tough new security standards.”

According to a press release from the British Department for Digital, Culture, Media & Sport, only one in five smart home equipment manufacturers has put in place appropriate cybersecurity measures. It goes on to say there were 1.5 billion attempted IoT compromises in 2021, double the 2020 total.

Specifically, the PSTI Bill includes:

  • A ban on easy-to-guess default passports that come preloaded on devices — such as ‘”password” or “admin.” All passwords that come with new devices will need to be unique and not resettable to any universal factory setting.
  • A requirement for manufacturers to tell customers at the point of sale, and keep them updated, about the minimum amount of time a product will receive vital security updates and patches, says the government. If a product does not come with security updates, that must be disclosed. Nearly 80% of smart home makers do not have any such system in place, according to the British government.
  • New rules that require manufacturers to provide a public point of contact to make it simpler for security researchers and others to report when they discover flaws and bugs in products.

These new cybersecurity regulations will be overseen by a regulator, which will be designated once the Bill comes into force, and will have the power to fine companies for non-compliance up to £10 million or 4% of their global turnover, as well as up to £20,000 a day in the case of an ongoing contravention.

The regulator will also be able to issue notices to companies requiring that they comply with the security requirements, recall their products, or stop selling or supplying them altogether. The new laws will apply not only to manufacturers, but also to other businesses including both physical shops and online retailers.

The PSTI Bill applies to “connectable” products, which includes all devices that can access the internet, such as smartphones, smart TVs, games consoles, security cameras and alarm systems, smart toys and baby monitors, smart home hubs and voice-activated assistants and smart home appliances such as washing machines and fridges.

It also applies to products that can connect to multiple other devices but not directly to the internet. Examples include smart light bulbs, smart thermostats and wearable fitness trackers.

The government intends to exempt some products that would be subjected to double regulation or not lead to material improvements in product or user security. This includes vehicles, smart meters, electric vehicle charging points and medical devices. Desktop and laptop computers are also exempted because they are already served by a mature antivirus software market.