The UK government has announced that it has submitted a bill to Parliament for the Product Security and Telecommunications Infrastructure Bill (PSTI), aimed at improving the security of smart home devices. The law prohibits setting easy-to-guess (password, admin) strings in the basic passwords of digital devices such as smartphones, TVs, and smart speakers.
The UK government has seen a dramatic increase in the use of high-tech products that can connect to the Internet in recent years, and it is predicted that by 2030 there will be up to 50 billion devices in use worldwide. However, only 20% of these connectable products have adequate security measures in place. The UK National Center for Cybersecurity reports that there were 1.5 billion breaches of IoT devices in the UK in the first half of 2021 alone, with the number of damages already nearly doubling in 2020.
The bill, drafted for 2020, bans the use of easy-to-guess default passwords, including classic ones, and stipulates that passwords cannot be reset to factory-set settings on a device. Products subject to regulation are IoT-compatible home appliances such as smartphones, routers, surveillance cameras, game consoles, home speakers, washing machines, and refrigerators. It also applies to products that do not directly connect to the Internet, such as smart light bulbs and wearable fitness trackers.
When selling, manufacturers must inform their customers of the minimum period required for security patches or updates, and must always keep them up-to-date. If your product does not contain any security patches or updates, you must disclose that fact. Manufacturers also need to provide a contact point for security researchers who discover bugs or vulnerabilities. Violators are subject to fines of up to £10 million or 4% of gross turnover, and continuous violations are subject to fines of up to £20,000 per day. The law applies not only to manufacturers, but also to retailers importing and selling high-tech products to the UK. Related information can be found here.